Create sarif to GitLab SAST report tool
Proposal
We do not currently provide a means by which a customer can convert a generic SARIF report format into the gitlab SAST report format.
The library we use internally is part of our report
golang library, you can see an example of its usage in our semgrep
analyzer.
This is primarily used internally, hence, not separately documented. It could be nice to have a self-contained converter but there isn't one at present. Alternatively, we could explore allowing uploads of SARIF reports directly and handling the conversion within our report parsing functionality.
Tasks
-
Create a transformer binary -
Documention
Workaround
Conversion can be performed natively by several of our analyzers which expose the library via subcommands. In the case of semgrep the report can be converted as follows:
docker run --rm --platform linux/amd64 -e SECURE_LOG_LEVEL=error -e SEARCH_MAX_DEPTH=40 -v $PWD:/tmp/app -w /tmp/app registry.gitlab.com/security-products/semgrep:4 /analyzer convert testdata/reports/semgrep.sarif > gl-sast-report.json
This can be performed with a CI job like so, leveraging a previous SARIF-generated artifact:
convert_sarif_to_gitlab_report:
stage: test
needs: sarif_generating_job
image:
name: "gitlab.com/security-products/semgrep:4"
artifacts:
reports:
sast: gl-sast-report.json
script:
- /analyzer convert report.sarif > gl-sast-report.json
NOTE: this may lead to unexpected behavior as report conversion is not a 1-1 mapping between fields.