Open markusthoemmes opened 3 years ago
That would be a cool addition. Should be easy enough to add I would think as an output format.
Might be useful to use this library or maybe there is another to build that Sarif format. https://github.com/owenrumney/go-sarif
re: Actions
It looks like our Github action already allows you to customize the command that gets run so if you wanted that sarif
output you could and add a step to push to Github Code Analysis.
https://github.com/sonatype-nexus-community/nancy-github-action#nancycommand
Would just want to update the docs to mention how to set it up and add an example that has this in it.
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif
If I get a chance over the next week or so I might try to get a PR rolling on it. I think it might be low hanging fruit but super high value for devs. Thanks for opening the issue @markusthoemmes
What are you trying to do? Make code scanning results visible in Github's "Security" tab.
What feature or behavior is this required for? Seamlessly running nancy as part of Github Actions and to visualize the results in Github as is supported by snyk as well. See https://github.com/snyk/actions/tree/master/golang#uploading-snyk-scan-results-to-github-code-scanning.
How could we solve this issue? (Not knowing is okay!) We could provide a new
sarif
output setting that writes a sarif files as specified by the Github documentation: https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/sarif-support-for-code-scanning.cc @bhamail / @DarthHater