datreeio
SARIF output support
Please support Sarif output format so that it can be uploaded as part of GitHub Actions workflows for issues to go into the GitHub Security tab.
Relates to #125
@HariSekhon do you know if it's possible to convert XML, yaml or JUnit to SARIF?
Looks like it's already JSON + schema:
https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md
I'm not familiar with any tool to convert from one to the other, as most of the other security tools I've used already support this output as it's the standard way of putting alerts into GitHub Security tab.
@hadar-co did some research for the person that will take this task:
SARIF is is an industry-standard format for the output of static analysis tools. It is based on JSON and has its own specifications/schema. It seems that this format is gaining traction, and many tools already provide support for it. Github provides an action that uploads a SARIF file and displays it under the “Security” tab of a repo.
There is no available converter from an output that Datree supports to SARIF. Therefore, to support this format we need to write a conversion ourselves.
Some helpful resources:
- Snyk has created a github action that converts its JSON output to SARIF, the conversion itself is done in a python script.
- Online SARIF validator.
- Full SARIF specification.
The action will also need to use the codeql action to upload the SARIF file:
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results_output.sarif
