Open dnetoa opened 1 year ago
What is the scenario you are trying to achieve? GitHub Advanced Security (GHAS) currently supports consumption of SARIF from various tools. This Action runs specific tools and the resulting SARIF is published to Security tab (part of GHAS)
What is the scenario you are trying to achieve? GitHub Advanced Security (GHAS) currently supports consumption of SARIF from various tools. This Action runs specific tools and the resulting SARIF is published to Security tab (part of GHAS)
I have heard it is possible to include SARIF files from other tools, but I'm not able to find any clear documentation about it. It may seem that I could use the PublishBuildArtifacts@1 task and ensure I publish the files to CodeAnalysisLogs/msdo.sarif, but I'm not sure if these only can be viewed in ADO or if they also will be available in Defender for Cloud.
In this case Azure DevOps with Defender for Cloud and Defender for DevOps is used. Scenarios that I want to achieve are:
Is this possible, and if yes, how is this solved?
SNYK
https://docs.snyk.io/products/snyk-code/cli-for-snyk-code/working-with-the-snyk-code-cli-results/exporting-the-test-results-to-a-json-or-sarif-file
TRIVY https://aquasecurity.github.io/trivy/v0.27.1/docs/vulnerability/examples/report/
Prisma Cloud https://www.paloaltonetworks.com/blog/prisma-cloud/github-action-container-image-scanning/
SEMGREP https://semgrep.dev/docs/cli-reference/
gitleaks https://github.com/zricethezav/gitleaks
Dockle https://github.com/goodwithtech/dockle