dep-scan
dep-scan copied to clipboard
owasp-dep-scan
Are there any plans to support SARIF format in the near future?
ref https://github.com/microsoft/sarif-tutorials/tree/main/samples
This allows you to view messages through GitHub security alerts.
@lvyinggithub Thank you for raising this issue. The parent project for depscan called slscan supports SARIF and in fact was one of the launch partners for GitHub code scanning.
https://github.com/ShiftLeftSecurity/sast-scan
I do not believe GitHub has opened up their dependency and secrets tabs for third parties to integrate with. So this might be integration with code scanning along with static analysis tools. In the past I have resisted this style of work around since I believe SARIF is not the right format to represent open source vulnerabilities, license compliance issues and so on.
Let me think through a bit more and respond here.
Use an example to generate a blank github Security Alert:
https://github.com/lvyinggithub/sarif-upload-github-security
test.sarif:
{ "version": "2.1.0", "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", "runs": [ { "tool": { "driver": { "name": "test-name" } }, "results": [] } ] }
test.yml:
name: "upload-sarif"
on: [ pull_request,workflow_dispatch] jobs: upload-sarif: runs-on: ubuntu-latest steps: - name: Checkout the code uses: actions/checkout@v2 - name: upload scan SARIF report uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./test.sarif
Click code-scanning will display the newly created test alert:
https://github.com/lvyinggithub/sarif-upload-github-security/security/code-scanning
Thank you. The preferred integration would be via this action which already includes dep-scan -t depscan
https://github.com/marketplace/actions/security-and-licence-scan
If you could integrate and have this ready, depscan results would start showing up at some point.