Summary: I want more clear and simple ASH result output.
Here is my sample ASH output:
ash --oci-runner docker
Resolved OCI_RUNNER to: docker
Building image automated-security-helper:local -- this may take a few minutes during the first build...
[+] Building 2.7s (29/29) FINISHED docker:rancher-desktop
=> [internal] load .dockerignore 0.1s
=> => transferring context: 152B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 5.36kB 0.0s
=> [internal] load metadata for public.ecr.aws/docker/library/python:3.10-bullseye 2.4s
=> [ 1/24] FROM public.ecr.aws/docker/library/python:3.10-bullseye@sha256:9731472b5443c961529d92f5758a2cfa828f25d0084b0d9218dfd212e113cb45 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 2.52kB 0.0s
=> CACHED [ 2/24] RUN ln -snf /usr/share/zoneinfo/UTC /etc/localtime && echo UTC > /etc/timezone 0.0s
=> CACHED [ 3/24] WORKDIR /deps 0.0s
=> CACHED [ 4/24] RUN mkdir -p ${HOME}/.ssh && echo "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl" >> ${HOME}/.ssh/known_hosts && echo "github.com ecdsa-sha2-nistp256 AAAA 0.0s
=> CACHED [ 5/24] RUN apt-get update && apt-get upgrade -y && apt-get install -y curl python3-venv git ripgrep ruby-dev tree && rm -rf /var/lib/apt/lists/* 0.0s
=> CACHED [ 6/24] RUN set -uex; apt-get update; apt-get install -y ca-certificates curl gnupg; mkdir -p /etc/apt/keyrings; curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearm 0.0s
=> CACHED [ 7/24] RUN wget https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py 0.0s
=> CACHED [ 8/24] RUN python3 -m pip install --no-cache-dir --upgrade pip 0.0s
=> CACHED [ 9/24] RUN git clone https://github.com/awslabs/git-secrets.git && cd git-secrets && make install 0.0s
=> CACHED [10/24] RUN python3 -m pip install --no-cache-dir bandit nbconvert jupyterlab 0.0s
=> CACHED [11/24] RUN echo "gem: --no-document" >> /etc/gemrc && python3 -m pip install checkov pathspec && gem install cfn-nag 0.0s
=> CACHED [12/24] RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin 0.0s
=> CACHED [13/24] RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin 0.0s
=> CACHED [14/24] RUN python3 -m pip install semgrep 0.0s
=> CACHED [15/24] WORKDIR /src 0.0s
=> CACHED [16/24] RUN mkdir -p /src && mkdir -p /out && mkdir -p /ash/utils 0.0s
=> CACHED [17/24] COPY ./utils/cdk-nag-scan /ash/utils/cdk-nag-scan/ 0.0s
=> CACHED [18/24] RUN npm install -g npm pnpm yarn && cd /ash/utils/cdk-nag-scan && npm install --quiet 0.0s
=> CACHED [19/24] COPY ./utils/cfn-to-cdk /ash/utils/cfn-to-cdk/ 0.0s
=> CACHED [20/24] COPY ./utils/*.* /ash/utils/ 0.0s
=> CACHED [21/24] COPY ./appsec_cfn_rules /ash/appsec_cfn_rules/ 0.0s
=> CACHED [22/24] COPY ./ash-multi /ash/ash 0.0s
=> CACHED [23/24] COPY ./__version__ /ash/__version__ 0.0s
=> CACHED [24/24] RUN chmod +x /ash/ash 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:3e5408e1e7a5a734778fa23059a3ff9985b530d0baea97d38b63cab00a63cc1d 0.0s
=> => naming to docker.io/library/automated-security-helper:local 0.0s
Running ASH scan using built image...
ASH version v1.3.3
Cloning into '/tmp/ash-run-scan.lx4h'...
done.
Repository cloned successfully.
Imported ash-ignore-report.txt from /src/ash_output
Imported ash-scan-set-files-list.txt from /src/ash_output
ASH found 627 file(s) in the source directory...
Items to scan for in Dockerfile-cdk are: [ yaml yml json template ]
Items to scan for in Dockerfile-yaml are: [ yaml yml tf json dockerfile ]
Items to scan for in Dockerfile-git are: [ git ]
Items to scan for in Dockerfile-py are: [ py pyc ipynb ]
Found one or more of: [ yaml yml json template ] items in source dir, running cdk-docker-execute.sh ...
Found one or more of: [ yaml yml tf json dockerfile ] items in source dir, running yaml-docker-execute.sh ...
Items to scan for in Dockerfile-js are: [ js jsx ts tsx ]
waiting on Dockerfile-cdk to finish ...
Found none of: [ py pyc ipynb ] items in source dir, skipping run of Dockerfile-py
Found one or more of: [ git ] items in source dir, running git-docker-execute.sh ...
Found one or more of: [ js jsx ts tsx ] items in source dir, running js-docker-execute.sh ...
Items to scan for in Dockerfile-grype are: [ js jsx ts tsx py java go cs sh war jar ]
Found one or more of: [ js jsx ts tsx py java go cs sh war jar ] items in source dir, running grype-docker-execute.sh ...
Dockerfile Dockerfile-git returned 0
Dockerfile Dockerfile-js returned 1
Dockerfile Dockerfile-cdk returned 0
Dockerfile-cdk finished with return code 0
waiting on Dockerfile-yaml to finish ...
Dockerfile Dockerfile-yaml returned 0
Dockerfile-yaml finished with return code 0
waiting on Dockerfile-git to finish ...
Dockerfile-git finished with return code 0
waiting on Dockerfile-py to finish ...
Dockerfile-py finished with return code 0
waiting on Dockerfile-js to finish ...
Dockerfile-js finished with return code 1
waiting on Dockerfile-grype to finish ...
Dockerfile Dockerfile-grype returned 0
Dockerfile-grype finished with return code 0
Jobs return code report:
Dockerfile-cdk : 0
Dockerfile-yaml : 0
Dockerfile-git : 0
Dockerfile-py : 0
Dockerfile-js : 1
Dockerfile-grype : 0
Your final report can be found here: /src/ash_output/aggregated_results.txt
ASH execution completed in 225 seconds.
Highest return code is 1
Instead of printing results based on Dockerfile, could you print results based on tool? Where is Semgrep scanned? NPM Audit? Also, the output above Items to scan for in ..., Found one or more of..., and Dockerfile-git finished with return code 0 don't add much value to output IMO.
Summary: I want more clear and simple ASH result output.
Here is my sample ASH output:
Instead of printing results based on Dockerfile, could you print results based on tool? Where is Semgrep scanned? NPM Audit? Also, the output above
Items to scan for in ...,Found one or more of..., andDockerfile-git finished with return code 0don't add much value to output IMO.I'd also prefer ✅, ❌ instead of 0,1.