Direct Upload Support for SARIF Reports
Overview
Enable direct upload of SARIF 2.1.0 reports as a first-class artifact format in GitLab, moving toward standardized security report handling alongside CycloneDX SBOMs.
Spike Outcomes
The spike (!225747 (closed)) validated that SARIF uploads are feasible. Key findings:
- SARIF 2.1.0 schema is compatible with our security scanning workflow
- Parser and validator foundation established (!227875 (closed))
- PoC demonstrates successful integration with existing vulnerability correlation
Core Questions
- Details field mapping: How to handle SARIF's generic details field vs. our structured data
- Identifier stability: Ensure SARIF identifiers remain stable and ordered for deduplication
- Suppression handling: Reconcile SARIF suppression model with our vulnerability_flags approach
- Severity alignment: Map SARIF severity levels to our vulnerability severity scale
Next Steps
Completed
- %18.11 database backend Register sarif as a new artifact and report type, add
plan_limitsmigration, CI YAML entry, JSON schema validator, SARIF 2.1.0 parser:- !227968 (merged) - artifact type registration + plan_limits migration
- !227970 (merged) - schema validator, location class, parser, parser registry, ingestion wiring, vulnerability dashboard and pipeline security tab
- %18.11 feature flag documentation Register SARIF parser behind sarif_ingestion fe... (!230156 - merged)
- %19.0 frontend backend MR security diff widget
- SARIF findings do not appear in the MR widget. Requires five changes: add
sariftoALLOWED_REPORT_TYPES, addsariftoEE_REPORT_FILE_TYPES, addMergeRequest#has_sarif_reports?+#compare_sarif_reports, a new route, and a controller action.
- SARIF findings do not appear in the MR widget. Requires five changes: add
- frontend backend Ingestion health visibility !230137 (merged)
- SARIF findings without a stable physical location are silently dropped. When a significant proportion is filtered out, the scan should surface a warning in the scanner status / Profiles UX view rather than silently succeeding. Extend the existing Security::Scan status model rather than new UX surface (SRM Profiles UX).
- %19.0 backend Fix SARIF ingestion to surface skipped findings... (!230137 - merged)
- %19.1 backend Add multi-scan support for mixed-type security ... (!230154 - merged)
In progress
- backend Infer vulnerability report type from SARIF iden... (#599758 - closed)
- documentation Document SARIF direct upload support: ingestion... (#599284 - closed)
Non-blocking follow-up
- backend Vulnerability correlation/deduplication alignment
- cross-report-type deduplication with existing SAST/secret-detection findings. See (see Prefer vulnerability correlation over deduplica... (#592410))
Edited by Lucas Charles