Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
Currently, scan creates all the reports locally on the CI build system itself. Some customers then upload the results to a s3 bucket or external platforms such as Splunk Cloud or Google BigQuery for data analysis.
I'm thinking of building some support for reports publishers as a new python package. Initially, GitHub Code scanning would be the supported publisher via api. Bitbucket Code insights and other known platforms might come next. If you're a vendor with support for SARIF or a suitable file format, please get in touch with me.
[ ] Depscan vulnerability and license findings json
Who is a publisher?
[ ] The publisher should offer a REST API (or python sdk), UI and some sort of workflow for developers and DevOps to interact with the data.
[ ] You can support one or many supported report data
[ ] Even commercial platforms that require authentication is fine since this can be implemented in the code
Who is not a publisher?
[ ] A simple file storage in the cloud such as s3 or ftp.
[ ] If you're an AppSec company directly competing with ShiftLeft CORE platform. There's some room for negotiation if you're a cloud platform with some code analysis capability
@erichs is this something you might be interested in?
@prabhu, very interesting! Direct SARIF-ingestion isn't something @jupiterone is looking at in the short-term, but if there is demand for it, we'll consider it in the future!
Currently, scan creates all the reports locally on the CI build system itself. Some customers then upload the results to a s3 bucket or external platforms such as Splunk Cloud or Google BigQuery for data analysis.
I'm thinking of building some support for reports publishers as a new python package. Initially, GitHub Code scanning would be the supported publisher via api. Bitbucket Code insights and other known platforms might come next. If you're a vendor with support for SARIF or a suitable file format, please get in touch with me.
What reports data can be published?
Who is a publisher?
Who is not a publisher?
@erichs is this something you might be interested in?