SARIF output handler #1726
Comments
|
That would be super helpful, as more tools are using it, and it can be integrated to other reports easily. |
|
hi @alfespa17 , our team is looking into your pr, will update you soon. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently there is an option to generate the output in JSON format that basically print the result array in this part of the code when using the parameter "--json=filename"
Example:
Adding a new output handler using a new parameter "--sarif=filename" could allow to export the result using SARIF format, this will allow to upload the result to any tool that support the specification.
In a high level the new parameter "--sarif=filename" could generate a SARIF file like this example
{ "version": "2.1.0", "$schema": "http://json.schemastore.org/sarif-2.1.0", "runs": [ { "tool": { "driver": { "name": "cloudsploit", "version": "3.1.0", "informationUri": "https://github.com/aquasecurity/cloudsploit" } }, "results": [ { "level": "error", "message": { "text": "No bucket policy found; encryption not enforced" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "arn:aws:s3:::XXXXXX" } } } ], "ruleId": "S3-S3ENCRYPTION" } ] } ] }The command to generate that output could be like:
I already did a small poc creating a new output handler, is not really a big change in the code, it is just creating a new handler similar to the one that generate the JSON format but using the SARIF json structure.
I would like to help with this issue and send a PR if the cloudsploit team think that this feature could be usefull to other people that is currently using this tool.
The text was updated successfully, but these errors were encountered: