search

JoostVoskuil / azure-devops-gitleaks

This is an extension for Azure DevOps that is a wrapper arround gitleaks created by Zachary Rice for easy execution inside your pipeline. Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code.
MIT License
25 stars 16 forks source link

Click through not working like sarif file generated from credscan #52

Closed VincentOspazi closed 2 years ago

VincentOspazi commented 2 years ago

when viewing the results in the scans tab( extension SARIF SAST Scans Tab) using the almost depricated credscan, I can click on the error line and it brings me to the specified line inside the repo.

Can this feature also be implemented in gitleaks? I saw the format was a little bit different, maybe this is the reason?

JoostVoskuil commented 2 years ago

Hi @VincentOspazi ,

I like the idea, however I don't think this is possible. The report generation is part of GitLeaks itself and not part of this extension. The only think that this extension does is upload the report to a valid location in Azure DevOps so that the SARIF SAST Scans Tab can pick this up. Basically it's pretty dumb ;)

Making your suggestion work requires that Zachary needs to include the correct URL with line of code to the web based source control repository. I think this approach is different depending on the tool. Maybe you can make a suggestion here: https://github.com/zricethezav/gitleaks but again, this is something I cannot control. Sorry for that.