Feature: Reports publisher for integration with external services

[prabhu]

Currently, scan creates all the reports locally on the CI build system itself. Some customers then upload the results to a s3 bucket or external platforms such as Splunk Cloud or Google BigQuery for data analysis.

I'm thinking of building some support for reports publishers as a new python package. Initially, GitHub Code scanning would be the supported publisher via api. Bitbucket Code insights and other known platforms might come next. If you're a vendor with support for SARIF or a suitable file format, please get in touch with me.

What reports data can be published?

• [ ] SARIF data from the SAST tools
• [ ] SBoM data from cdxgen in CycloneDX format
• [ ] Depscan vulnerability and license findings json

Who is a publisher?

• [ ] The publisher should offer a REST API (or python sdk), UI and some sort of workflow for developers and DevOps to interact with the data.
• [ ] You can support one or many supported report data
• [ ] Even commercial platforms that require authentication is fine since this can be implemented in the code

Who is not a publisher?

• [ ] A simple file storage in the cloud such as s3 or ftp.
• [ ] If you're an AppSec company directly competing with ShiftLeft CORE platform. There's some room for negotiation if you're a cloud platform with some code analysis capability

@erichs is this something you might be interested in?

[erichs]

@prabhu, very interesting! Direct SARIF-ingestion isn't something @jupiterone is looking at in the short-term, but if there is demand for it, we'll consider it in the future!