search

IBM / audit-ci

Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories
Apache License 2.0
256 stars 41 forks source link

[Feature] Support Gitlab SAST report-type #280

Open danniehansen opened 1 year ago

danniehansen commented 1 year ago

We've recently started using audit-ci in our pipelines. For the tool semgrep that we use, they can output a Gitlab SAST compatible reporting format that GitLab can understand and integrate into its UI. Would be really cool to have similar reporting supporting with audit-ci.

I'm more than willing to write this reporter support into the repository if people feel like this could be valuable.

Gitlab SAST reporting schema: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json

doricci commented 1 year ago

I don't know if it can help but for that we are using a separate npm module @elpete/gitlab-npm-audit-parser after the audit.json report is generated.

Maybe it's possible to integrate the parser module directly to the audit-ci module?

quinnturner commented 1 year ago

Hi @doricci, I have two ideas for this:

  1. I have a WIP PR #297 that attempts to improve the programmatic usage of audit-ci vastly. That way, you can use it as a library and pipe the result to any parser you want.
  2. With the improvement of its programmatic usage of audit-ci, we could add it as a first-party output format.