Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://gitlab.com/ignis-build/sarif-converter
Convert from [SARIF](https://sarifweb.azurewebsites.net/) to GitLab Code Quality and SAST report.
https://gitlab.com/ignis-build/sarif-converter
SARIF SAST gitlab go security
Last synced: about 2 months ago
JSON representation
Convert from [SARIF](https://sarifweb.azurewebsites.net/) to GitLab Code Quality and SAST report.
- Host: gitlab.com
- URL: https://gitlab.com/ignis-build/sarif-converter
- Owner: ignis-build
- License: mit
- Created: 2022-09-13T07:24:06.498Z (over 2 years ago)
- Default Branch: master
- Last Synced: 2024-10-18T03:35:39.793Z (2 months ago)
- Topics: SARIF, SAST, gitlab, go, security
- Stars: 11
- Forks: 2
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# SARIF Converter
Convert report from SARIF to other format reports.* [GitLab CodeQuality](https://docs.gitlab.com/ee/ci/testing/code_quality.html#implementing-a-custom-tool)
* [GitLab SAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json?_gl=1%2a1guihbz%2a_ga%2aOTc1NjM2NDI3LjE2NjY3MDc4NzI.%2a_ga_ENFH3X7M5Y%2aMTY2OTcwMjI3MC45LjEuMTY2OTcwMjMxMC4wLjAuMA..)
* HTML (powered by [SARIF Web Component](https://github.com/microsoft/sarif-web-component))## Supported Static Analyzer Tools
* [Semgrep](https://semgrep.dev/) - Static Code Scanning & Analysis Tool
* [GitLab Semgrep analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep)
* [Qodana](https://www.jetbrains.com/qodana/) - Code quality platform powered by IntelliJ family
* [InspectCode Command-Line Tool](https://www.jetbrains.com/help/resharper/InspectCode.html#understanding-output) - static analyzer for .NET, powered by ReSharper
* [dotnet build ErrorLog](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/errors-warnings#errorlog) - `dotnet build` compile log (Require `version=2.1`)
* [Security Code Scan](https://security-code-scan.github.io/) - static code analyzer for .NET
* [ESLint](https://eslint.org/) - Used together with [SARIF formatter for ESLint](https://www.npmjs.com/package/@microsoft/eslint-formatter-sarif)
* [ktlint](https://pinterest.github.io/ktlint/) - Kotlin linter
* [BinSkim Binary Analyzer](https://github.com/microsoft/binskim) - Portable Executable (PE) light-weight scanner
* [Snyk](https://docs.snyk.io/snyk-cli/getting-started-with-the-snyk-cli) - Security scanner## Usage
Linux only!```
$ sarif-converter --help
Usage:
sarif-converter [OPTIONS] input1.sarif [input2.sarif...] output.jsonApplication Options:
-v, --version Show version.
-t, --type=[sast|codequality|html] Output report type. (default: html)
-r, --src-root= Source root path.Help Options:
-h, --help Show this help message
```### Install
```shell
$ wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux-amd64
$ chmod +x sarif-converter
```For arm64 architecture: https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux-arm64
### Run
Run a static analysis tool such as [Semgrep](https://semgrep.dev/).```shell
$ semgrep --config=auto --sarif --output=semgrep.sarif .
```Convert to GitLab Code Quality json.
```shell
$ ./sarif-converter --type codequality semgrep.sarif gl-code-quality-report.json
```Conver to GitLab SAST json.
```
$ ./sarif-converter --type sast semgrep.sarif gl-sast-report.json
```Convert to html report.
```
$ ./sarif-converter --type html semgrep.sarif semgrp-report.html
```#### Security Code Scan
[Install Security Code Scan](https://security-code-scan.github.io/#Installation) into your .NET project.```shell
$ dotnet new tool-manifest
$ dotnet tool install security-scan
```Scan your project.
```shell
$ dotnet security-scan YourProject.sln --export=security-scan.sarif
```Convert to GitLab CodeQuality report.
```shell
$ ./sarif-converter --type codequality --src-root . security-scan.sarif gl-code-quality-report.json
```Security Code Scan sarif reports are output as absolute paths.
The `--src-root` argument converts them to relative paths as required by the Code Quality report.### Run in GitLab CI
```yaml
codequality:sast:
image: $CI_TEMPLATE_REGISTRY_HOST/security-products/semgrep:3
before_script:
- wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux
- chmod +x sarif-converter
script:
- /analyzer run
- ./sarif-converter --type codequality semgrep.sarif gl-code-quality-report.json
artifacts:
reports:
codequality: gl-code-quality-report.json
```![](docs/gitlab-merge-request.png)
## Warning
* `sast` - If `start_time` and etc is not provided in the SARIF file, ad hoc values are set.## License
MIT