-
Notifications
You must be signed in to change notification settings - Fork 108
[Enhancement] Adding the output format: SARIF #284
Comments
@rsareth Thanks for the suggestion! Let us look into this and get back to you. |
Hi @jaspervdj-luminal , First, congratulations for your integration to Snyk.io 🥇 I've just seen your commit on the format SARIF: 522a1b7 Thank you for adding that. Another question if I may. Does it make sense to add the hash the file that regula scans in the sarif report? In the SARIF Spec 2.1, 3.14.15 artifacts property, it is possible to add the hash of the file. I'm asking the question because of our way to create AWS resources, so running the terrafom apply. We don't run the terraform cli from the repository itself on the commit push event. Those are our steps after a git push:
Adding the hash of each file would allow us to check that the files weren't tampered in a way or another. I'm not talking about signing the files. What do you think? Regards, |
Hi @rsareth,
Thanks! Unfortunately the switch comes with some overhead, so things were moving a bit slower in the last two weeks, my apologies. I think including the sha256 makes sense for that use case, and it should be relatively easy to add. I'll see if I can get it in before we do the next release, if not, we'll add it to the sarif support in a subsequent one. |
Hi @jaspervdj-luminal ,
Since the announcement, I was thinking of that. For me, it is completely normal. So, no worries.
Thank you ;-) But I think you should discuss globally with your new colleagues from Snyk about generating a BOM. I suppose they participate in a way or another, or think of the usage of BOM: https://snyk.io/blog/advancing-sbom-standards-snyk-spdx/ All I know, it seems that having a BOM is getting somehow a good security practice at least in USA. Regards, |
Implemented since 2.6.0 |
Hello,
It is an open question but doesn't it make sense to support the output format SARIF? For what I read, it is an OASIS standard. In our case, it would make easier to generate reports, integrating with other teams, .... because we can rely on a standard.
Even if we rely mostly on regula because of your rego libraries, we complete the analysis with other tools like checkov for example. The competitor tools can generate their results in SARIF format.
Regards,
Rasmey
The text was updated successfully, but these errors were encountered: