Are there any plans to support SARIF format in the near future？

[lvyinggithub]

ref https://github.com/microsoft/sarif-tutorials/tree/main/samples

This allows you to view messages through GitHub security alerts.

[prabhu]

@lvyinggithub Thank you for raising this issue. The parent project for depscan called slscan supports SARIF and in fact was one of the launch partners for GitHub code scanning.

https://github.com/ShiftLeftSecurity/sast-scan

I do not believe GitHub has opened up their dependency and secrets tabs for third parties to integrate with. So this might be integration with code scanning along with static analysis tools. In the past I have resisted this style of work around since I believe SARIF is not the right format to represent open source vulnerabilities, license compliance issues and so on.

Let me think through a bit more and respond here.

[lvyinggithub]

Thank you very much.

[lvyinggithub]

Use an example to generate a blank github Security Alert:

https://github.com/lvyinggithub/sarif-upload-github-security

test.sarif:

{ "version": "2.1.0", "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", "runs": [ { "tool": { "driver": { "name": "test-name" } }, "results": [] } ] }

test.yml:

name: "upload-sarif"

on: [ pull_request,workflow_dispatch] jobs: upload-sarif: runs-on: ubuntu-latest steps:

• name: Checkout the code uses: actions/checkout@v2
• name: upload scan SARIF report uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./test.sarif

Click code-scanning will display the newly created test alert:

https://github.com/lvyinggithub/sarif-upload-github-security/security/code-scanning

[prabhu]

Thank you. The preferred integration would be via this action which already includes dep-scan -t depscan

https://github.com/marketplace/actions/security-and-licence-scan

If you could integrate and have this ready, depscan results would start showing up at some point.