eyarz
commented
2 years ago @HariSekhon do you know if it's possible to convert XML, yaml or JUnit to SARIF?
Closed HariSekhon closed 1 year ago
eyarz
commented
2 years ago @HariSekhon do you know if it's possible to convert XML, yaml or JUnit to SARIF?
HariSekhon
commented
2 years ago Looks like it's already JSON + schema:
https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md
I'm not familiar with any tool to convert from one to the other, as most of the other security tools I've used already support this output as it's the standard way of putting alerts into GitHub Security tab.
eyarz
commented
2 years ago @hadar-co did some research for the person that will take this task:
SARIF is is an industry-standard format for the output of static analysis tools. It is based on JSON and has its own specifications/schema. It seems that this format is gaining traction, and many tools already provide support for it. Github provides an action that uploads a SARIF file and displays it under the “Security” tab of a repo.
There is no available converter from an output that Datree supports to SARIF. Therefore, to support this format we need to write a conversion ourselves.
Some helpful resources:
eyarz
commented
2 years ago The action will also need to use the codeql action to upload the SARIF file:
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results_output.sarif
hadar-co
Please support Sarif output format so that it can be uploaded as part of GitHub Actions workflows for issues to go into the GitHub Security tab.
Relates to #125