oxsecurity
Add Gitlab SAST Reporter
Add Gitlab SAST reporter
Created a PR for a Gitlab SAST reporter I made and use on our private Gitlab instance. Can't promise I'll have time to fix it up or anything but thought you guys might like to take what I've done so far and run with it :)
And thanks for sharing this, more people will benefit from it, that's the goal of Megalinter, to combine the efforts of setting up many linters and using them all easily in CI, without every project having to reinvent the wheel to make it usable.
@TommyE123 since you seem to be using GitLab casually, would you mind giving your opinion on this, and if it is correct to merge as is? It's been waiting a bit
@TommyE123 what does the thumbs up reaction to my comment mean? That you will do, or it is an approval/review, that it is a solution adapted for this environment?
@TommyE123 what does the thumbs up reaction to my comment mean? That you will do, or it is an approval/review, that it is a solution adapted for this environment?
Means I can have a look 🙂
Sorry I'm late :)
This PR is great and i'd love to merge it, but there are additional updates to complete :)
- documentation: Create a GitlabSastReporter like this one https://github.com/oxsecurity/megalinter/blob/main/docs/reporters/GitlabCommentReporter.md :)
- code factorization: there is already code generating SARIF, so let's call it instead of copy-pasting it ^^
- JSON Schema must contain GITLAB_SAST_REPORTER related variables -> https://github.com/oxsecurity/megalinter/blob/main/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
If you think this pull request should stay open, please remove the O: stale 🤖 label or comment on the pull request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
If you think this pull request should stay open, please remove the O: stale 🤖 label or comment on the pull request.
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
If you think this pull request should stay open, please remove the O: stale 🤖 label or comment on the pull request.
I'm going to attempt to take a look at this. Just depends on my workload between work and school on how much progress I can make.
@hype8912 that would be really nice from you and highly appreciated by the MegaLinter community :)
GitLab may be adding direct support for sarif reporting very soon since the converter for scip to lsif has been removed from Sourcegraph. Here's some things I've figured out.
For checkov if you pass the arguments --skip-results-upload -o gitlab_sast -o sarif --output-file-path megalinter-reports --custom-tool-name MegaLinter this will output the report in gitlab_sast format.
Then in the job you just need to point the file as a sast artifact.
my-job:
variables:
REPOSITORY_CHECKOV_ARGUMENTS: "--skip-results-upload -o gitlab_sast -o sarif --output-file-path megalinter-reports --custom-tool-name MegaLinter"
artifacts:
when: always
paths:
- megalinter-reports
reports:
sast: megalinter-reports/results_gitlab_sast.json
@hype8912 so this means we could just activate Megalinter SARIF output and declare it in the gitlab-ci.yml ?
it could be just an update in this documentation ? :) https://megalinter.io/latest/reporters/SarifReporter/
Possibly. Would still have to assign the reports to the report type similar to how I did above with the sast report.