gitlab osv-scanner - Githubissues

google / osv-scanner-action

https://google.github.io/osv-scanner/github-action/

Apache License 2.0

16 stars 13 forks source link

gitlab osv-scanner #33

Open jsqfengbao opened 4 months ago

jsqfengbao commented 4 months ago

If I want to use osv-scanner on gitlab, how do I configure the yml file? Is there a corresponding tool or plug-in that can be installed?

oliverchang commented 4 months ago

We currently don't have support for GitLab unfortunately, but we'd be very happy to take contributions!

jsqfengbao commented 4 months ago

We currently don't have support for GitLab unfortunately, but we'd be very happy to take contributions!

OK, I'd love to

andrewpollock commented 4 months ago

https://docs.gitlab.com/ee/ci/migration/github_actions.html is probably relevant...

andrewpollock commented 4 days ago

Also https://about.gitlab.com/blog/2024/02/27/how-to-integrate-custom-security-scanners-into-gitlab/#tutorial-integrating-custom-security-scanners as surfaced in https://groups.google.com/g/osv-discuss/c/1zA5yRWJK9w

H4x0rcr4x commented 4 days ago

Also https://about.gitlab.com/blog/2024/02/27/how-to-integrate-custom-security-scanners-into-gitlab/#tutorial-integrating-custom-security-scanners as surfaced in https://groups.google.com/g/osv-discuss/c/1zA5yRWJK9w

Adding to this:

Integrating a security scanner, with results automatically presented in various places in GitLab, means ensuring the output is in a GitLab-specified format.

Integrating external security scanners into your DevSecOps workflow blog post provides an example of using a custom Synk and a script to convert the resulting JSON to the GitLab-specified format.

You can find the schemas for existing scanners here:

Container Scanning Coverage Fuzzing DAST Dependency Scanning (this is likely the one that you will want to use for OSV-Scanner) SAST Secret Detection

Your output will need to adhere to one of these schemas. The docs provide further details on the available Report Fields in these schemas.

H4x0rcr4x commented 4 days ago

Currently, you can run OSV-Scanner in GitLab by adding something similar to your .gitlab-ci.yml file. Ensure that you reference the latest stable image, which is currently version 1.9.1. You may prefer the newer HTML output or another format over text.

H4x0rcr4x commented 4 days ago

Let me know who I can send a boatload of ☕️🧋to for your help with making this a reality! Thank you!!!

H4x0rcr4x commented 4 days ago

If I want to use osv-scanner on gitlab, how do I configure the yml file? Is there a corresponding tool or plug-in that can be installed?

I just posted how to do it in GitLab. I have had osv-scanner running in GitLab for a few months.