Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

[Enhancement] Adding the output format: SARIF #284

Closed
rsareth opened this issue Dec 22, 2021 · 5 comments
Closed

[Enhancement] Adding the output format: SARIF #284

rsareth opened this issue Dec 22, 2021 · 5 comments
Labels
enhancement New feature or request

Comments

@rsareth
Copy link

rsareth commented Dec 22, 2021

Hello,

It is an open question but doesn't it make sense to support the output format SARIF? For what I read, it is an OASIS standard. In our case, it would make easier to generate reports, integrating with other teams, .... because we can rely on a standard.

Even if we rely mostly on regula because of your rego libraries, we complete the analysis with other tools like checkov for example. The competitor tools can generate their results in SARIF format.

Regards,
Rasmey

@ameliafugue
Copy link
Member

@rsareth Thanks for the suggestion! Let us look into this and get back to you.

@rsareth
Copy link
Author

rsareth commented Feb 25, 2022

Hi @jaspervdj-luminal ,

First, congratulations for your integration to Snyk.io 🥇

I've just seen your commit on the format SARIF: 522a1b7 Thank you for adding that.

Another question if I may. Does it make sense to add the hash the file that regula scans in the sarif report?

In the SARIF Spec 2.1, 3.14.15 artifacts property, it is possible to add the hash of the file. I'm asking the question because of our way to create AWS resources, so running the terrafom apply. We don't run the terraform cli from the repository itself on the commit push event.

Those are our steps after a git push:

  1. Creating a delivery package
  • creating a tar file from the repository
  • putting the tar file in s3
  1. Creating the AWS resources
  • downloading the tar file from s3
  • decompressing the tar file in a directory
  • running the terraform plan/apply from the directory

Adding the hash of each file would allow us to check that the files weren't tampered in a way or another. I'm not talking about signing the files.

What do you think?

Regards,
Rasmey

@jaspervdj-luminal
Copy link
Member

Hi @rsareth,

First, congratulations for your integration to Snyk.io

Thanks! Unfortunately the switch comes with some overhead, so things were moving a bit slower in the last two weeks, my apologies.

I think including the sha256 makes sense for that use case, and it should be relatively easy to add. I'll see if I can get it in before we do the next release, if not, we'll add it to the sarif support in a subsequent one.

@rsareth
Copy link
Author

rsareth commented Feb 25, 2022

Hi @jaspervdj-luminal ,

Unfortunately the switch comes with some overhead, so things were moving a bit slower in the last two weeks, my apologies.

Since the announcement, I was thinking of that. For me, it is completely normal. So, no worries.

I think including the sha256 makes sense for that use case, and it should be relatively easy to add. I'll see if I can get it in before we do the next release, if not, we'll add it to the sarif support in a subsequent one.

Thank you ;-)

But I think you should discuss globally with your new colleagues from Snyk about generating a BOM. I suppose they participate in a way or another, or think of the usage of BOM: https://snyk.io/blog/advancing-sbom-standards-snyk-spdx/

All I know, it seems that having a BOM is getting somehow a good security practice at least in USA.

Regards,
Rasmey

@rsareth
Copy link
Author

rsareth commented Jul 24, 2022

Implemented since 2.6.0

@rsareth rsareth closed this as completed Jul 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants