/sarif-converter

Imported from GitLab/ignis-build

Primary LanguageHTMLMIT LicenseMIT

SARIF Converter

Convert report from SARIF to other format reports.

Supported Static Analyzer Tools

Usage

Linux only!

$ sarif-converter --help
Usage:
  sarif-converter [OPTIONS] input1.sarif [input2.sarif...] output.json

Application Options:
  -v, --version                      Show version.
  -t, --type=[sast|codequality|html] Output report type. (default: html)
  -r, --src-root=                    Source root path.

Help Options:
  -h, --help                         Show this help message

Install

$ wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux
$ chmod +x sarif-converter

Run

Run a static analysis tool such as Semgrep.

$ semgrep --config=auto --sarif --output=semgrep.sarif .

Convert to GitLab Code Quality json.

$ ./sarif-converter --type codequality semgrep.sarif gl-code-quality-report.json

Conver to GitLab SAST json.

$ ./sarif-converter --type sast semgrep.sarif gl-sast-report.json

Convert to html report.

$ ./sarif-converter --type html semgrep.sarif semgrp-report.html

Security Code Scan

Install Security Code Scan into your .NET project.

$ dotnet new tool-manifest
$ dotnet tool install security-scan

Scan your project.

$ dotnet security-scan YourProject.sln --export=security-scan.sarif

Convert to GitLab CodeQuality report.

$ ./sarif-converter --type codequality --src-root . security-scan.sarif gl-code-quality-report.json

Security Code Scan sarif reports are output as absolute paths. The --src-root argument converts them to relative paths as required by the Code Quality report.

Run in GitLab CI

codequality:sast:
  image: $CI_TEMPLATE_REGISTRY_HOST/security-products/semgrep:3
  before_script:
    - wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux
    - chmod +x sarif-converter
  script:
    - /analyzer run
    - ./sarif-converter --type codequality semgrep.sarif gl-code-quality-report.json
  artifacts:
    reports:
      codequality: gl-code-quality-report.json

Warning

  • sast - If start_time and etc is not provided in the SARIF file, ad hoc values are set.

License

MIT