Support SARIF from Other tools

[dnetoa]

SNYK

https://docs.snyk.io/products/snyk-code/cli-for-snyk-code/working-with-the-snyk-code-cli-results/exporting-the-test-results-to-a-json-or-sarif-file

TRIVY https://aquasecurity.github.io/trivy/v0.27.1/docs/vulnerability/examples/report/

Prisma Cloud https://www.paloaltonetworks.com/blog/prisma-cloud/github-action-container-image-scanning/

SEMGREP https://semgrep.dev/docs/cli-reference/

gitleaks https://github.com/zricethezav/gitleaks

Dockle https://github.com/goodwithtech/dockle

[sukhans]

What is the scenario you are trying to achieve? GitHub Advanced Security (GHAS) currently supports consumption of SARIF from various tools. This Action runs specific tools and the resulting SARIF is published to Security tab (part of GHAS)

[kimsyversen]

What is the scenario you are trying to achieve? GitHub Advanced Security (GHAS) currently supports consumption of SARIF from various tools. This Action runs specific tools and the resulting SARIF is published to Security tab (part of GHAS)

I have heard it is possible to include SARIF files from other tools, but I'm not able to find any clear documentation about it. It may seem that I could use the PublishBuildArtifacts@1 task and ensure I publish the files to CodeAnalysisLogs/msdo.sarif, but I'm not sure if these only can be viewed in ADO or if they also will be available in Defender for Cloud.

In this case Azure DevOps with Defender for Cloud and Defender for DevOps is used. Scenarios that I want to achieve are:

• Add detection of other types of secrets that those defined by MS if you use GHAS for ADO. This is possible if you use GitHub, but not ADO. Therefore a third party tool is needed.
• Add DAST capabilities and incude those results in Defender for Cloud. For example run a weekly scan with Zap and publish those results.

Is this possible, and if yes, how is this solved?