Skip to content
jonny64 edited this page Sep 21, 2024 · 29 revisions

sarif2gl is a tool designed to deliver SAST results to gitlab merge request discussions via API

given a list of SAST results in multiple sarif files in a MR pipeline enviroment:

  • if any non-supressed finding is found, it will post a discussion thread
  • if one already exists, it will edit the discussion thread's first note
  • if all findings are cleared or suppressed, the thread will be resolved

Installation

Node.js version 18 is required

$ npm i -g sarif2gl
$ sarif2gl *.sarif

Usage

create sdl_bot user and his access token (SDL_BOT_TOKEN, rights scope: api), then in target project

  • define SDL_BOT_TOKEN enviroment variable
  • add sdl_bot to project members as a Reporter
  • add to .gitlab-ci.yml:

stages:
  - build

# ...

tool:
  # ...
  # use .pre stage to run before all stages
  stage: .pre
  script: ... -f sarif -o tool.sarif
  artifacts:
    paths:
      - ${CI_PROJECT_DIR}/*.sarif
    when: always

# ...build

sarif2gl:
  rules:
    - if: $CI_MERGE_REQUEST_IID
  interruptible: true
  variables:
    GIT_STRATEGY: none
  # use .post stage to run after all stages
  stage: .post
  tags:
    - docker
  # node:18-alpine with sarif2gl.js
  image: sdl.registry.company.local/sarif2gl:1.0.0
  script:
    - if [[ -z "$(ls -a ./*.sarif)" ]]; then exit 0; fi;
    - node sarif2gl.js *.sarif
  • create MR: now sdl_bot will post a discussion thread if any non-supressed warning is found in input .sarif
  • update MR: now sdl_bot will edit the discussion thread's first note, or resolve the thread if no warnings found

following sections are parsed and merged across all input sarif in one discussion note:

  • runs.results
  • invocations.toolExecutionNotifications

sarif2gl exit code is always zero, unless there was some error during discussion POST

Developing

to run
run tests with coverage npm test
make coverage report NODE_V8_COVERAGE=./coverage node --test --experimental-test-coverage
npx -y c8 report --temp-directory ./coverage --reporter html
see coverage report for master branch https://jonny64.github.io/sarif2gl
Clone this wiki locally