action-baseline icon indicating copy to clipboard operation
action-baseline copied to clipboard
verified publisher icon zaproxy

[WIP] Generate sarif support by default

Open DanBradbury opened this issue 2 years ago • 2 comments

Goal is to address https://github.com/zaproxy/action-baseline/issues/63 and start the work to support the Code Scanning integration

To work fully this requires changes to zap-baseline.py and zap_common.py to properly support the sarif report (https://github.com/zaproxy/zaproxy/pull/8005)

DanBradbury avatar Aug 13 '23 21:08 DanBradbury

I'm not sure this is the right way to go about this. We intend to replace the packaged scans with Automation Framework functionality.

To address the DCO requirement you'll need to sign-off the commit(s):

  • https://github.com/zaproxy/zaproxy/blob/main/CONTRIBUTING.md#developer-certificate-of-origin
  • https://git-scm.com/docs/git-commit#Documentation/git-commit.txt---signoff

kingthorin avatar Aug 13 '23 21:08 kingthorin

I'm not sure this is the right way to go about this. We intend to replace the packaged scans with Automation Framework functionality.

My understanding is there is an open issue with not being able to leverage the AF options as expected. Note how zap-baseline handles zap.yaml when using the action. Will never allow you to pass in a AF configuration and always override with the 3 default reports

DanBradbury avatar Aug 14 '23 03:08 DanBradbury

The path forward is to use the Automation Framework (which now has an action), you can generate the SARIF report and upload it to achieve #63.

thc202 avatar Jun 04 '24 08:06 thc202