Closed ddshore closed 10 months ago
Good point, thank you for raising. The current instructions are the simplest path to get to the point of being able to type sarif
on the command line without changing the PATH, but it's a good point that this could be a security concern, depending on the context. I'll change the default option to be to install at user level or into venv and then update the PATH or create a symlink.
Wording changes have now been merged to main branch
Hi!
In the readme file, you include this line:
Installing on Linux or Mac
sudo pip install sarif-tools
This is a very very dangerous security practice: you should never run pip as sudo. If the user is getting permission errors, they should create a virtual environment. I believe it should not be used, least so in an official Microsoft project, and even less in a project about tools that allow for file portability for security scans.