Create stand-alone libraries/utilities to ease Scanner integration
New analyzer integration should be able to be done very easily, from multiple different languages and environments. The core requirement is that an analyzer must produce a conformant JSON security report. Libraries should exist to ease the creation of this report.
For example, having an easily installable and usable library in:
- python
- ruby
- go
- rust
- nodejs
- php
- bash
would greatly increase the speed at which new scanners can be integrated into GitLab as analyzers.
Ruby Example
Supposing a ruby gem named gitlab-security-report
existed:
require 'gitlab-security-report'
report = GitLab::Security::Report.new(
scanner=GitLab::Security::Scanner.new(name: "Scanner name", vendor: "Vendor name", version: __VERSION__)
)
find_vulnerabilities.each do |vuln|
report.add_vulnerability(name: vuln.name, details: ...)
report.add_remediation(...)
end
report.save('output-path.json')
Bash Example
The example below may be accomplished by having a stand-alone utility that can be installed, or a bash script that can be sourced to provide the commands used:
gitlab#security#init_report --name "Scanner Name" --vendor "Vendor name" --version "$VERSION"
gitlab#security#add_vulnerability --name "Vuln Name" ...