### Proposal We do not currently provide a means by which a customer can convert a generic [SARIF report format](https://sarifweb.azurewebsites.net/) into the [gitlab SAST report format](https://docs.gitlab.com/ee/development/integrations/secure.html#report). The library we use internally is [part of our `report` golang library](https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/main/sarif.go), you can see [an example of its usage in our `semgrep` analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/252406fb4998feb4ce9b282380944fb5bc0491f6/convert.go#L27). This is primarily used internally, hence, not separately documented. It could be nice to have a self-contained converter but there isn't one at present. Alternatively, we could explore allowing uploads of SARIF reports directly and handling the conversion within our report parsing functionality. ### Tasks * [ ] Create a transformer binary * [ ] Documention ### Workaround Conversion can be performed natively by several of our analyzers which expose the library via subcommands. In the case of semgrep the report can be converted as follows: ``` docker run --rm --platform linux/amd64 -e SECURE_LOG_LEVEL=error -e SEARCH_MAX_DEPTH=40 -v $PWD:/tmp/app -w /tmp/app registry.gitlab.com/security-products/semgrep:4 /analyzer convert testdata/reports/semgrep.sarif > gl-sast-report.json ``` This can be performed with a CI job like so, leveraging a previous SARIF-generated artifact: ```yaml convert_sarif_to_gitlab_report: stage: test needs: sarif_generating_job image: name: "gitlab.com/security-products/semgrep:4" artifacts: reports: sast: gl-sast-report.json script: - /analyzer convert report.sarif > gl-sast-report.json ``` NOTE: this may lead to unexpected behavior as report conversion is not a 1-1 mapping between fields.