Closed swinton closed 2 years ago
Hey @swinton,
That sounds very interesting. I've never heard about this format but I'll make sure to read more about it and try to understand what this is all about.
I appreciate that you offer your help and I'll come back to you if needed. Thanks a lot 👍
Hi @triat 👋 I'm on the same team as @swinton
and wanted to follow up on this request and also provide a link to this recently published guide, "Integrating with Code Scanning". Let us know if you need a hand. 🙇
Hi @imjohnbo, To be honest, I haven't worked on it right now. I can definitively see how this would be helpful and really need to put it on my (long) list of things to do. I appreciate the reminder and will truly let you know if I'm stuck but let's hope this will be smooth to integrate 🤞
Hey @swinton - Just for info there is one by the tfsec team - https://github.com/marketplace/actions/run-tfsec-with-sarif-upload
As @owenrumney said, they developed their own Actions for tfsec. I don't believe this makes sense that I do another one, therefore I will not move forward with any new feature.
If this action (/or
tfscan
) can produce its analysis in the SARIF format, then it would be straightforward to submit the analysis to GitHub's Code Scanning UI as part of security workflows.I have some experience with this, having worked with the SARIF spec previously, and would be happy to lend a ✋ if there's interest in adding support for this.
More information on Code Scanning: https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors