SARIF output support #616
Comments
|
@HariSekhon do you know if it's possible to convert XML, yaml or JUnit to SARIF? |
|
Looks like it's already JSON + schema: https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md I'm not familiar with any tool to convert from one to the other, as most of the other security tools I've used already support this output as it's the standard way of putting alerts into GitHub Security tab. |
eyarz
changed the title
|
@hadar-co did some research for the person that will take this task: SARIF is is an industry-standard format for the output of static analysis tools. It is based on JSON and has its own specifications/schema. It seems that this format is gaining traction, and many tools already provide support for it. Github provides an action that uploads a SARIF file and displays it under the “Security” tab of a repo. There is no available converter from an output that Datree supports to SARIF. Therefore, to support this format we need to write a conversion ourselves. Some helpful resources:
|
|
The action will also need to use the codeql action to upload the SARIF file: - name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results_output.sarif |
|
The SARIF format is now supported, see our action for instructions on how to create a SARIF report & upload it to Github code scanning :) |
Please support Sarif output format so that it can be uploaded as part of GitHub Actions workflows for issues to go into the GitHub Security tab.
Relates to #125
The text was updated successfully, but these errors were encountered: