Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SARIF Format Support on Output for cfn_nag #568

Closed
NickLiffen opened this issue Oct 6, 2021 · 12 comments
Closed

SARIF Format Support on Output for cfn_nag #568

NickLiffen opened this issue Oct 6, 2021 · 12 comments
Labels

Comments

@NickLiffen
Copy link

Hey 👋

I didn't know where else to post this so thought I would open an issue. If this is better moved to a GitHub discussion let me know.

I'm Nick from GitHub, specifically on the GitHub Advanced Security (GHAS) product. I am a big user of cfn_nag, and I think it's great to help people track possible security patterns within their cloud formation templates.

One thing I would love is for this tool to support a SARIF output. SARIF is an industry standard for static analysis.

We have seen many other linting tools support SARIF such as eslint, as well as other security tools: CodeQL, etc.

So, why am I asking for SARIF support? Right now, GitHub Code Scanning (as part of GitHub Advanced Security) supports any file which is in the format of SARIF. That means any data can be uploaded to Code Scanning. We are seeing more and more teams starting to track security and quality alerts within Code Scanning, and I think it would be great if cfn_nag results could be uploaded to Code Scanning.

All I see this being is the following:

cfn_nag_scan --input-path template.yml --output-format sarif

Right now it supports JSON, etc. If it could also support SARIF, that would be amazing :)

Love to hear your thoughts 👍 Also happy to discuss this any further 👍 I think this would be a great feature 👍

@NickLiffen
Copy link
Author

We could then add it as an option on the GitHub Action, which would automatically upload the results to Code Scanning, which I think would be a really nice experience 👍

@arothian
Copy link
Contributor

arothian commented Oct 6, 2021

@NickLiffen , thanks for opening the discussion here and providing the background and details. I think this will be a great enhancement to the tool. We'll take a stab at this.

@NickLiffen
Copy link
Author

Amazing 💯 Thanks @arothian. I would contribute towards this work but as a developer myself, I must admit Ruby is not my strong suit 😢

Some tools that may be useful to you:

If you would like to validate anything please feel free to let me know 👍

@arothian
Copy link
Contributor

@NickLiffen I have an initial implementation in the linked PR. I think there is one last remaining piece around how it is reporting out the physical location uri data. Let me know if you see any other compatibility issues in what is generating or if the output wouldn't work for Github Code Scanning

@NickLiffen
Copy link
Author

Thanks @arothian 👍 I will get around to testing this today 💯

@NickLiffen
Copy link
Author

@arothian thanks for this! Is there any way I could run cfn_nag off this branch by any chance? I can just quickly test this by getting the SARIF and uploading it to the GitHub Code Scanning portal.

If you would like to see how this works you can as well, by using this API endpoint. You just need to enable GitHub Advanced Security in the settings part of the repository and then upload it.

Before I provide any feedback I think it's good to firstly just see how it looks 💯

Great work @arothian I did take a look at the PR format and the structure looks good 👍

@arothian
Copy link
Contributor

@arothian thanks for this! Is there any way I could run cfn_nag off this branch by any chance? I can just quickly test this by getting the SARIF and uploading it to the GitHub Code Scanning portal.

@NickLiffen You should be able to. If you have the branch locally and ruby 2.5+, bundle install will install any dependencies. Then you can run bundle exec cfn_nag_scan -o sarif --input-path ... to run a scan using the branch's changes.

@NickLiffen
Copy link
Author

Amazing 👍 I will get this tested for you 👍 thanks for this work 🎧 ❤️

@arothian
Copy link
Contributor

@NickLiffen This should be available in the latest release.

@NickLiffen
Copy link
Author

Amazing 👍 I am going to test this out tomorrow 👍 (sorry I have been on PTO).

I am going to use GitHub Actions to generate the SARIF and then upload it to code scanning using the upload SARIF action.

Will let you know tomorrow how it goes 👍

@arothian
Copy link
Contributor

arothian commented Nov 3, 2021

@NickLiffen Once #581 is merged I think you should be able to follow the example in that PR and get this working.

@arothian
Copy link
Contributor

arothian commented Nov 5, 2021

Closing as we published a new action that handles the SARIF format and upload for use with Code Scanning (https://github.com/marketplace/actions/cfn-nag-sarif-upload)

@arothian arothian closed this as completed Nov 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants