Megalinter and Defect Dojo

[wesley-dean-flexion]

Has anyone tried integrating Megalinter with Defect Dojo?

My team uses Defect Dojo for tracking security findings and such. Most of the findings we feed to Defect Dojo come from Snyk through their integration point. However, Defect Dojo handles a bunch of different file formats, including:

• checkov
• gitleaks
• kics
• SARIF
• semgrep
• trivy
• trufflehog

(the list is much longer -- those are just the overlap with Megalinter's repository linters and reporters)

Defect Dojo also exposes an API and documents how to interact with the API manually.

While searching for folks who have made this integration happen, my searches on using Megalinter with Defect Dojo were largely unhelpful, but I was able to find examples of folks who have fed Defect Dojo using curl:

curl -X 'POST' \
  'http://defectdojo-server:8080/api/v2/import-scan/' \
  -H 'accept: application/json' \
  -H 'Content-Type: multipart/form-data' \
  -H 'X-CSRFToken: <token>' \
  -H 'Authorization: Token <token>' \
  -F 'scan_date=2023-11-20' \
  -F 'minimum_severity=Info' \
  -F 'active=true' \
  -F 'verified=true' \
  -F 'scan_type=ZAP Scan' \
  -F 'file=@zapreport.xml;type=text/xml' \
  -F 'product_name=Test Product' \
  -F 'engagement_name=Test Engagement' \
  -F 'close_old_findings=false' \
  -F 'close_old_findings_product_scope=false' \
  -F 'push_to_jira=false' \
  -F 'create_finding_groups_for_all_findings=true'

So, my first thought was to use POST_COMMANDS to run curl (it would be a little more complicated than that as one has to acquire and send an API token to authenticate the request).

My second thought would be to put together a plugin to provide a vector that's a little more robust than a bespoke a shell one-liner.

So, questions:

1. has anyone made this integration (Megalinter => Defect Dojo) work?
2. does anyone have any thoughts on the curl or plugin-based approach?
3. does anyone have any thoughts on whether or not this is a good idea?

[echoix]

I don't know about Defect Dojo yet. The simplest way would be to handle this in another step of your workflow file, so, outside of Megalinter. For the linters that support SARIF, you could send these results to the service.

For the rest, I'm not sure what input you need to have for that service. Is it only a pass/fail or count of problems/files/fixes or something like that? If so, it is a bit equivalent to what we call "reporters". These reporters handle how to present the result at the end of the run.

[wesley-dean-flexion]

outside of Megalinter

Sure, that makes sense. I completely forgot to explore that option. A quick search finds a results uploader for Git Hub Actions, so that should be fairly direct to implement. Thank you.

not sure what input

Right, it can take a variety of file formats including SARIF.

Is it only a pass/fail

Our use case for Defect Dojo is to track vulnerabilities found through various SAST, DAST, and SCA tools and keep them all in one place, like a dashboard of issues that need to be tracked and addressed. That is, the folks whose responsibility it is to ensure the security of the software in use want one place where they can look to get a high-level understanding of vulnerabilities and risks.

So, it's more like the security tab on a repository in GitHub than a quality gate reporting back to GitHub's Checks API.

a bit equivalent to [...] reporters

Yup. Exactly. It's close to the example of using the SARIF reporter to upload results to GitHub, like in the usage section of the SARIF reporter documentation or the GitHub PR comments or GitHub status reporters. In fact, the "outside Megalinter" section (above) is pretty much exactly that example from the usage section.

My thinking is less about the "linter" part of Megalinter (e.g., quality gates) and more about the security scanners that have been included, notably since OX Security became (more) heavily involved with Megalinter.

So, @echoix , your comment about moving functionality like this "outside of Megalinter" to a separate step in a workflow is very well-taken. I think that's exactly what I'll try next. I'll try to share my experiences and results with the integration; hopefully if anyone does a search on Megalinter and Defect Dojo, they can find this conversation and your excellent advice.

Thank you.

[echoix]

If ever you publish an article or blog post about this (if it's your thing), we could add it in https://megalinter.io/latest/articles/ to be useful for others to find!

[wesley-dean-flexion]

Sure. Love to. I just need to clear stuff with my organization before posting it if I'm going to mention them.

My team uses Megalinter in a bunch of different places and we advocate for it, train other teams, help implement, etc. as often as possible. I held a few 30 minute demos of it just this week, actually.

Personally, I use Megalinter on every single one of my repos, public, private, or otherwise. I don't have enough good, kind, and favorable words to share about Megalinter.

[nvuillam]

@wesley-dean-flexion if you demo MegaLinter internally, don't hesitate to do it externally in tech conferences, we'll support you :)

[wesley-dean-flexion]

While searching for folks who have made this integration happen, my searches on using Megalinter with Defect Dojo were largely unhelpful, but I was able to find examples of folks who have fed Defect Dojo using curl:

I was able to adapt the script I mentioned previously to upload results with very little effort. I set it to iterate across $@ so I could upload_sarif_to_dd.bash megalinter-reports/SARIF/*.sarif and it worked great.

I ran Megalinter locally and used an internal DefectDojo instance. It's not accessible from the Internet, so I can't use a GitHub Action to invoke it; my next step will be to use my internal Jenkins instance and have it upload results.

This is likely not a big deal to the Megalinter community or the DefectDojo community. My point in mentioning it here is if someone else gets it in their head that they want to consume findings, it's totally possible. Just make sure your linters only linting things you want them to lint or else you're going to get hundreds of findings.

[nvuillam]

@wesley-dean-flexion well played :)

That seems to be great content for an article that people would find when they search MegaLinter + DefectDojo in search engines ;)

[wesley-dean-flexion]

I overengineered put together a shell script tool to upload SARIF-formatted results to DefectDojo based on the SARIF output produced by Megalinter. I was unable to use existing tools (example) because my DefectDojo instance wasn't accessible over the Internet.

https://github.com/wesley-dean-flexion/upload-sarif-to-defectdojo

export DD_TOKEN="${DEFECT_DOJO_AUTH_TOKEN}"
curl -s \
  -o './upload_sarif_to_defectdojo.bash' \
  -L 'https://raw.githubusercontent.com/wesley-dean-flexion/upload-sarif-to-defectdojo/main/upload_sarif_to_defectdojo.bash'
./upload_sarif_to_defectdojo.bash \
  -p "${PRODUCT}" \
  -e "${ENGAGEMENT}" \
  -s "${DEFECT_DOJO_SERVER}" \
 megalinter-reports/sarif/*.sarif

The script can be...

• downloaded at runtime (raw script link)
• pulled from GHCR
• pulled from DockerHub

Obviously, I mentioned Megalinter throughout the documentation 😉

[nvuillam]

Great, thanks for sharing :)

[wesley-dean-flexion]

@nvuillam this is from a few months ago

[nvuillam]

Wow that's nice ! :D
How did you integrate ML data ? Sarif files ?
MegaLinter could send them to you via API if you want ^^

[wesley-dean-flexion]

Yes, I uploaded the SARIF files with curl.

This specific example was with a Jenkins pipeline that would run MegaLinter first, then upload the results. Both the Jenkins and DefectDojo instances were on a private network that wasn't accessible from the Internet.

I have it set to use pollSCM so when this particular project has commits pushed the main branch, it runs the pipeline.