Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supporting SARIF output #467

Open
NickLiffen opened this issue Jun 22, 2022 · 0 comments · May be fixed by #483
Open

Supporting SARIF output #467

NickLiffen opened this issue Jun 22, 2022 · 0 comments · May be fixed by #483

Comments

@NickLiffen
Copy link

Hello 👋

My name is Nick, I am one of the architects here at GitHub 👋 lovely to meet you all 👋

Firstly, love what you are doing here 💯

I am working on advanced security and one thing that we are starting to see is people want to integrate stan with Code Scanning.

tl;dr code scanning is a service that allows customers to integrate the output of security tools (and quality tools) into GitHub so they don't need to go between multiple tools, and it's all represented in the same way.

The one requirement is data is outputted from the tool within SARIF . Think of SARIF as a structured JSON object that tells us what the vulnerabilities are, and where they are found.

I see this tool supports: [--json-output], it would be great if it supported [--sarif-output] and we could then pass this SARIF either to the upload SARIF action, or the upload SARIF API.

The SARIF support docs are here for GitHub, and tells you what is needed :)

Taking a quick look through the code, we can see you have a lot of the data needed for the output, you would just need to structure it in the right way to be SARIF compliant. I would love to contribute but my Haskell knowledge is not up to par here 😢

I wondered if this is something you would be willing to add as a feature request? ❤️

Here is an example PR that adds SARIF for another tool, you can see other tools that support SARIF here: [Security Workflows(https://github.com/kowainik/stan/actions/new?category=security), if you would like to see how other tools do it 👍 (would also love to add you to this list if you did end up supporting SARIF ❤️

Anyways, thanks for hearing me out :)

mbg added a commit to mbg/stan that referenced this issue Dec 22, 2022
mbg added a commit to mbg/stan that referenced this issue Dec 22, 2022
@mbg mbg linked a pull request Dec 22, 2022 that will close this issue
mbg added a commit to mbg/stan that referenced this issue Dec 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant