Add SARIF report output #304
Comments
|
Hi @jeff-cook, interesting. Is the idea that this repo would contain a folder of templates? These templates wouldn't be able to ship with the Grype binary, since templates are just text files, of course, but I suppose they could serve as a helpful reference from within the repo. Is that what you had in mind? |
|
Yes, often I have found tools that support a template option to have examples using commonly widely used formats. SARIF is defiantly going in that direction. JUnit XML is another example. |
|
Okay, got it — thanks! This makes sense. I'm not sure what the priority of this will be — but, we'll also happily accept PRs for this, too. |
|
SARIF support would also mean it can feed back into the security tab of GitHub itself FYI |
|
There is a preference towards adding formats via go code (in the form of presenters) rather than templates. That being said, I think there are probably plenty of cases where adding simple templates is straightforward as long as there is a good mechanism in place to use them easily. We could keep a set of these templates in the repo with a set of snapshot tests for each (like we do with our presenters) and use the https://golang.org/pkg/embed/ package to embed the templates as assets and reference them by name (like we do with the presenters). At least having this mechanism implemented will probably be a good idea (even if it's under leveraged). |
|
From refinement:
|
What would you like to be added:
I see https://github.com/anchore/scan-action supports a SARIF report.
However, instead of using the
grype --templateoption, it creates it in the code.Is there any plan to create a template for use by grype?
Why is this needed:
Being able to create a SARIF report no mater how you use grype.
Additional context:
The text was updated successfully, but these errors were encountered: