SARIF Format Support on Output for cfn_nag

[NickLiffen]

Hey 👋

I didn't know where else to post this so thought I would open an issue. If this is better moved to a GitHub discussion let me know.

I'm Nick from GitHub, specifically on the GitHub Advanced Security (GHAS) product. I am a big user of cfn_nag, and I think it's great to help people track possible security patterns within their cloud formation templates.

One thing I would love is for this tool to support a SARIF output. SARIF is an industry standard for static analysis.

We have seen many other linting tools support SARIF such as eslint, as well as other security tools: CodeQL, etc.

So, why am I asking for SARIF support? Right now, GitHub Code Scanning (as part of GitHub Advanced Security) supports any file which is in the format of SARIF. That means any data can be uploaded to Code Scanning. We are seeing more and more teams starting to track security and quality alerts within Code Scanning, and I think it would be great if cfn_nag results could be uploaded to Code Scanning.

All I see this being is the following:

cfn_nag_scan --input-path template.yml --output-format sarif

Right now it supports JSON, etc. If it could also support SARIF, that would be amazing :)

Love to hear your thoughts 👍 Also happy to discuss this any further 👍 I think this would be a great feature 👍

[NickLiffen]

We could then add it as an option on the GitHub Action, which would automatically upload the results to Code Scanning, which I think would be a really nice experience 👍

[arothian]

@NickLiffen , thanks for opening the discussion here and providing the background and details. I think this will be a great enhancement to the tool. We'll take a stab at this.

[NickLiffen]

Amazing 💯 Thanks @arothian. I would contribute towards this work but as a developer myself, I must admit Ruby is not my strong suit 😢

Some tools that may be useful to you:

• SARIF Validator
• SARIF Tutorials

If you would like to validate anything please feel free to let me know 👍

[arothian]

@NickLiffen I have an initial implementation in the linked PR. I think there is one last remaining piece around how it is reporting out the physical location uri data. Let me know if you see any other compatibility issues in what is generating or if the output wouldn't work for Github Code Scanning

[NickLiffen]

Thanks @arothian 👍 I will get around to testing this today 💯

[NickLiffen]

@arothian thanks for this! Is there any way I could run cfn_nag off this branch by any chance? I can just quickly test this by getting the SARIF and uploading it to the GitHub Code Scanning portal.

If you would like to see how this works you can as well, by using this API endpoint. You just need to enable GitHub Advanced Security in the settings part of the repository and then upload it.

Before I provide any feedback I think it's good to firstly just see how it looks 💯

Great work @arothian I did take a look at the PR format and the structure looks good 👍

[arothian]

@arothian thanks for this! Is there any way I could run cfn_nag off this branch by any chance? I can just quickly test this by getting the SARIF and uploading it to the GitHub Code Scanning portal.

@NickLiffen You should be able to. If you have the branch locally and ruby 2.5+, bundle install will install any dependencies. Then you can run bundle exec cfn_nag_scan -o sarif --input-path ... to run a scan using the branch's changes.

[NickLiffen]

Amazing 👍 I will get this tested for you 👍 thanks for this work 🎧 ❤️

[arothian]

@NickLiffen This should be available in the latest release.

[NickLiffen]

Amazing 👍 I am going to test this out tomorrow 👍 (sorry I have been on PTO).

I am going to use GitHub Actions to generate the SARIF and then upload it to code scanning using the upload SARIF action.

Will let you know tomorrow how it goes 👍

[arothian]

@NickLiffen Once #581 is merged I think you should be able to follow the example in that PR and get this working.

[arothian]

Closing as we published a new action that handles the SARIF format and upload for use with Code Scanning (https://github.com/marketplace/actions/cfn-nag-sarif-upload)