Add SARIF output format for report
#4
Comments
|
Hi! Do you think I can be assigned to this issue? 😄 A little concern is about #15 |
|
Hi @Coruscant11 — I'd be happy for any contribution toward this! I'll put your name on this. Having Nosey Parker able to produce SARIF-formatted reports would make it simpler to integrate with several other systems that understand that format, including GitHub Code Analysis (#26) and things like SonarQube. I'm curious: what's your use case for Nosey Parker having SARIF output? #15 won't be a barrier to generating complete SARIF outputs. The feature mentioned there is purely an automation step, making it simpler to scan Git repositories in bulk without first manually cloning them. (I will soon be merging a PR that closes that issue anyway.) One thing that may be a complication at present is figuring out how to represent the "location" of Nosey Parker findings in SARIF format. Because Nosey Parker scans Git history, which for the most part does not appear in working copy files on the filesystem, there will usually not be a physical file on disk to point to. Additionally, for findings from Git history, Nosey Parker currently only gives the Git blob ID, and not the relevant commits or the filenames. (I will fix this eventually: #16.) I have not previously generated SARIF outputs, so I don't have a deep understanding of the format. From looking at its spec, it's a pretty large and complicated format, able to represent many things. Nosey Parker surely doesn't need to support all of that initially. Without more research, I'm not sure exactly what a minimal SARIF file would need to look like. My suggestion would be to look at output SARIF files from other tools to get an idea what information needs to be emitted. For example, GitLeaks has SARIF support, which looks at present to be fairly minimal. There is a set of Rust crates for working with SARIF that looks promising: Adding a new output format to Nosey Parker should be fairly straightforward. You would need to:
|
|
Thank you so much for your answer! For the use case of the sarif format, it is because I use Fortify Security Center, which can make a dashboard of any security scanner by reading SARIF format. I am scanning a whole Bitbucket instance with security scanner, and noseyparker seems to be more powerful in some repositories than gitleaks or trufflehog. Finding for example some RSA private key or Bearer token in the git changelog that other scanners didn't find. I think that being able to output SARIF is a very important feature for security scanner nowadays, that's why I would be very happy to work on it. Thank you so much for your advices! I will try to work on it as soon as possible and I will keep you updated. While working with some scanners I saw SARIF a little bit and it seems not so very complicated for secret scanners. The main thing will be to find informations related to findings in order to make exports very useful, like links to the issue and stuff like that. I am looking forward to work on it! I will start to read the code as soon as possible. |
|
If you have any questions, I'm happy to help. Thanks! |
If Nosey Parker could output findings in SARIF format, it could be more easily integrated into other tools, like GitHub Code Scanning.
This would probably be exposed as a
--format=sarifoption for thereport(and possiblysummarize) commands.Some references:
The text was updated successfully, but these errors were encountered: