{"id":25079790,"url":"https://github.com/logchange/secscanner2junit","last_synced_at":"2025-08-17T12:42:47.758Z","repository":{"id":37803772,"uuid":"454826925","full_name":"logchange/SecScanner2JUnit","owner":"logchange","description":"Convert Security Scanner Output to JUnit Format","archived":false,"fork":false,"pushed_at":"2025-08-01T22:22:14.000Z","size":136,"stargazers_count":19,"open_issues_count":8,"forks_count":9,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-02T00:30:58.466Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/logchange.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-02-02T15:22:00.000Z","updated_at":"2025-04-23T13:24:25.000Z","dependencies_parsed_at":"2024-04-10T16:31:17.163Z","dependency_job_id":"83f18824-cb4d-4b15-9036-b26835a3de6d","html_url":"https://github.com/logchange/SecScanner2JUnit","commit_stats":{"total_commits":57,"total_committers":6,"mean_commits":9.5,"dds":"0.21052631578947367","last_synced_commit":"08b62e00775358cf6219e469b87e58e82171d721"},"previous_names":["logchange/secscanner2junit","angrymeir/secscanner2junit"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/logchange/SecScanner2JUnit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logchange%2FSecScanner2JUnit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logchange%2FSecScanner2JUnit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logchange%2FSecScanner2JUnit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logchange%2FSecScanner2JUnit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/logchange","download_url":"https://codeload.github.com/logchange/SecScanner2JUnit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logchange%2FSecScanner2JUnit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270850080,"owners_count":24656448,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-17T02:00:09.016Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-07T03:07:46.431Z","updated_at":"2025-08-17T12:42:47.696Z","avatar_url":"https://github.com/logchange.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecScanner2JUnit\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://pypi.org/project/secscanner2junit/\"\u003e\n        \u003cimg src=\"https://badge.fury.io/py/secscanner2junit.svg\" alt=\"PyPI version\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://pepy.tech/project/secscanner2junit\"\u003e\n        \u003cimg src=\"https://static.pepy.tech/badge/secscanner2junit/month\" alt=\"Downloads\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/logchange/SecScanner2JUnit/graphs/contributors\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/contributors/logchange/SecScanner2JUnit\" alt=\"Contributors\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/logchange/SecScanner2JUnit/pulse\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/commit-activity/m/logchange/SecScanner2JUnit\" alt=\"Activity\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://hub.docker.com/repository/docker/logchange/secscanner2junit/\"\u003e\n        \u003cimg src=\"https://img.shields.io/docker/v/logchange/secscanner2junit?sort=semver\u0026color=green\u0026label=DockerHub\" alt=\"DockerHub\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://hub.docker.com/repository/docker/logchange/secscanner2junit/\"\u003e\n        \u003cimg src=\"https://img.shields.io/docker/pulls/logchange/secscanner2junit\" alt=\"DockerHub Pulls\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/logchange/SecScanner2JUnit/actions/workflows/report-validate.yml\"\u003e\n        \u003cimg src=\"https://github.com/logchange/SecScanner2JUnit/actions/workflows/report-validate.yml/badge.svg\" alt=\"Supports latest GitLab version\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://gitpod.io/#https://github.com/logchange/SecScanner2JUnit\"\u003e\n        \u003cimg src=\"https://img.shields.io/badge/Open_in-GitPod-ffae33?style=flat-square\u0026logo=gitpod\" alt=\"Open in Gitpod\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nGitLab offers [security scanning and visualization](https://docs.gitlab.com/ee/user/application_security/) directly via and on their platform.  \nOne nice feature is direct insights on merge requests. However, this feature is only available with the Ultimate tier. To also use this feature on the free tier, one can build around it by taking the security tool output, converting it to the JUnit format, and uploading it as JUnit report.\n\nTo summarize, this tool is for you if:\n- You use GitLab's free tier\n- You use Gitlabs [security templates](https://docs.gitlab.com/ee/user/application_security/)\n- You want to easily access security tool output in merge requests\n\nIf you are on the GitLabs Ultimate tier, just use their tooling! No need to mess up your `.gitlab-ci.yml` file. :smile:\n\n## Which scanning types are supported?\nAll scanning types available under the free tier:\n- Secret Scanning\n- Static Application Security Testing (SAST)\n- Container Scanning\n- Infrastructure as Code Scanning\n\n## How to use?\nProcedure:\n1. Overwrite the existing job so that the report can be used by future jobs.  \n2. Convert report\n3. Upload converted report as junit report\n\n### Report input types:\nYou can use following report types as inputs with `ss2ju` command. (f.e `ss2ju sast ....`) \n- [**sast**](https://docs.gitlab.com/ee/user/application_security/sast/)\n- [**secrets**](https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/)\n- [**container_scanning**](https://docs.gitlab.com/ee/user/application_security/container_scanning/)\n- [**maven_dependency_check**](https://github.com/jeremylong/DependencyCheck)\n\n### Example for Secret Scanning\nThis example can be used as is.\n```yaml\nstages:\n  - test\n  - convert\n  \n- include:\n  - template: Security/Secret-Detection.gitlab-ci.yml\n  \nsecret_detection:\n  artifacts:\n    paths:\n      - gl-secret-detection-report.json\n    when: always\n    \nsecret_convert:\n  stage: convert\n  dependencies:\n    - secret_detection\n  script:\n    - pip3 install SecScanner2JUnit\n    - ss2ju secrets gl-secret-detection-report.json gl-secret-detection-report.xml\n  artifacts:\n    reports:\n      junit: gl-secret-detection-report.xml\n```\n\n### Example for SAST  \nSince GitLab decides dynamically which scanners to use depending on project languages, it makes sense to first perform a testrun only including the template. This way one can see which jobs are executed and then overwrite them. \n```yaml\nstages:\n  - test\n  - convert\n  \n- include:\n  - template: Security/SAST.gitlab-ci.yml\n  \nsemgrep-sast:\n  after_script:\n    - cp gl-sast-report.json gl-sast-semgrep-report.json\n  artifacts:\n    paths:\n      - gl-sast-semgrep-report.json\n    when: always\n\nbrakeman-sast:\n  after_script:\n    - cp gl-sast-report.json gl-sast-brakeman-report.json\n  artifacts:\n    paths:\n      - gl-sast-brakeman-report.json\n    when: always\n\nsemgrep-sast-convert:\n  stage: convert\n  dependencies:\n    - semgrep-sast\n  script:\n    - pip3 install SecScanner2JUnit\n    - ss2ju sast gl-sast-semgrep-report.json gl-sast-semgrep-report.xml\n  artifacts:\n    reports:\n      junit: gl-sast-semgrep-report.xml\n      \nbrakeman-sast-convert:\n  stage: convert\n  dependencies:\n    - brakeman-sast\n  script:\n    - pip3 install SecScanner2JUnit\n    - ss2ju sast gl-sast-brakeman-report.json gl-sast-brakeman-report.xml\n  artifacts:\n    reports:\n      junit: gl-sast-brakeman-report.xml\n\n```\n\n### Example for Container Scanning\n\n```yaml\n- include:\n  - template: Jobs/Build.gitlab-ci.yml #Build and push the container image\n  - template: Security/Container-Scanning.gitlab-ci.yml #Scan the built image\n\ncontainer_scanning:\n  artifacts:\n    paths:\n      - gl-container-scanning-report.json\n    when: always\n\ncontainer_scanning-convert:\n  stage: convert\n  dependencies:\n    - container_scanning\n  script:\n    - pip3 install SecScanner2JUnit\n    - ss2ju container_scanning gl-container-scanning-report.json gl-container-scanning-report.xml\n  artifacts:\n    reports:\n      junit: gl-container-scanning-report.xml\n```\n\n### Suppression\n\nYou can provide a file with suppression which will allow to ignore some vulnerabilities.\n\nYou have to create a file `ss2ju-config.yml` f.e. in `.gitlab` directory which includes:\n\n```yml\nsast:\n  suppressions:\n    - type: \"cwe\"\n      value: \"2555\"\n    - type: \"find_sec_bugs_type\"\n      value: \"SPRING_ENDPOINT\"\n    - id: \"db914ce5737b49650ae650fc3b0fe38a531eadd8ea780f48a013419c4adec7f0\"\n```\n\nAnd now you can modify execution commands as follows:\n\n```bash\n    - ss2ju sast gl-sast-semgrep-report.json gl-sast-semgrep-report.xml .gitlab/ss2ju-config.yml\n```\n\n\n### Usage with docker\nFor easier usage in CI, `Secscanner2JUnit` is also shipped in a docker container: https://hub.docker.com/r/logchange/secscanner2junit  \nIts' usage is similar to the ways described above:\n```yaml\n...\n\nsecret_convert:\n  stage: convert\n  image:\n    name: logchange/secscanner2junit:latest\n    entrypoint: [\"\"]\n  dependencies:\n    - secret_detection\n  script:\n    - ss2ju secrets gl-secret-detection-report.json gl-secret-detection-report.xml\n  artifacts:\n    reports:\n      junit: gl-secret-detection-report.xml\n```\n\n\n### Development\n\nCreate Python Virtual Environment\n```bash\npython -m venv ./venv\n```\n\nActivate Python Virtual Environment\n```bash\nsource ./venv/bin/activate\n```\n\nInstall dependencies\n```bash\npoetry install\n```\n\nRun tests\n```bash\npoetry run pytest\n```\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flogchange%2Fsecscanner2junit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flogchange%2Fsecscanner2junit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flogchange%2Fsecscanner2junit/lists"}