-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore using sarif as output format #10
Comments
jo looks like a good tool to read a sarif template with and mutate based on findings. |
..or, just use upstream: hadolint/hadolint#704 <3 open source! |
Seeing how this issue is still to be completed I wanted to outline a bit how I see this playing out. PR's is probably not the best place to pick this up since they are not really reflecting the "state" of the repo (which the security view does) so I will expand on the documentation to show how you can scan a repo daily and pick up secrets. |
So, the plan here is to create a USAGE.md example on how to collect sarif outputs and push it to github and hopefully get a few more testers than me (it seems that I'm at least not the only user). If that works out well – meaning, it improves the overall experience of alerts from hadolint – we could change the default output in |
Sarif is a json format that provides a finer grained way of showing errors, warnings and so on. The issues found are also shown on the security page which might interest a fair amount of people.
Based on a JSON template there might be a not-so-painful way of having jq emit a sarif-friendly document that github can consume.
The text was updated successfully, but these errors were encountered: