balgillo
commented
10 months ago Good point, thank you for raising. The current instructions are the simplest path to get to the point of being able to type sarif on the command line without changing the PATH, but it's a good point that this could be a security concern, depending on the context. I'll change the default option to be to install at user level or into venv and then update the PATH or create a symlink.
Hi!
In the readme file, you include this line:
Installing on Linux or Mac
sudo pip install sarif-toolsThis is a very very dangerous security practice: you should never run pip as sudo. If the user is getting permission errors, they should create a virtual environment. I believe it should not be used, least so in an official Microsoft project, and even less in a project about tools that allow for file portability for security scans.