jeremylong
commented
2 years ago BTW - I love your suite of violation tools! The addition of Sarif reports is a game changer for reporting security findings during development.
Closed jeremylong closed 2 years ago
jeremylong
commented
2 years ago BTW - I love your suite of violation tools! The addition of Sarif reports is a game changer for reporting security findings during development.
tomasbjerre
commented
2 years ago Looks great, thanks!
For the Sarif parser, as the reports could come from multiple tools, the driver name should be used as the reporter instead of
Sarif. That way if Checkmarx outputs a Sarif report and Semgrep outputs a sarif report one can differentiate the findings when these are converted to violation comments in a PR.