-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add XML output with common schema #772
Comments
Hi, thanks for your report! Our JSON format indeed lacks documentation. We plan to work on fixing that. I am not convinced by unit-test oriented file formats because I would expect a bit of impedance mismatch to map ggshield output to these formats. I think SARIF would be a better fit, since it's been designed from the beginning for static analysis tools. It's JSON, not XML, but it is a standard format, supported by Azure DevOps and other tools. What do you think? |
Hi,
The main impediment now is that we must assess pipeline logs to find out why a scan with ggshield failed. This is not very user friendly.
I currently attach the output to a backlog work item, but reading the output is also harsch.
Normally our scan and/or test results are collected and published in Azure DevOps like shown in the picture below.
![1](https://github.com/GitGuardian/ggshield/assets/17175831/27156f92-b0f5-42c7-9623-5d418893c037)
From there we can drill into the results for more detailed information.
![2](https://github.com/GitGuardian/ggshield/assets/17175831/6685838d-23bb-471c-979d-14e4878f3142)
We can even add attachments automatically to these reports.
The current ggshield JSON/XML output format is not supported.
The SARIF format is an alternative approach, although we have to add the SARIF SAST Scans Tab<https://marketplace.visualstudio.com/items?itemName=sariftools.scans> extension. A drawback could be that pipeline test/scan information is not centralized but distributed to different tabs/locations.
Met vriendelijke groet / kind regards,
[Logo]<https://www.linkit.nl/>
Dick van Straaten
Contact me on ***@***.***>
From: Aurelien Gateau ***@***.***>
Sent: Monday, 16 October 2023 15:06
To: GitGuardian/ggshield ***@***.***>
Cc: Dick van Straaten ***@***.***>; Author ***@***.***>
Subject: Re: [GitGuardian/ggshield] Add XML output with common schema (Issue #772)
Hi, thanks for your report!
Our JSON format indeed lacks documentation. We plan to work on fixing that.
I am not convinced by unit-test oriented file formats because I would expect a bit of impedance mismatch to map ggshield output to these formats. I think SARIF<https://sarifweb.azurewebsites.net/> would be a better fit, since it's been designed from the beginning for static analysis tools. It's JSON, not XML, but it is a standard format, supported by Azure DevOps and other tools. What do you think?
—
Reply to this email directly, view it on GitHub<#772 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEDBKF6ZAXZNAWDUTMAG3ODX7UWK5AVCNFSM6AAAAAA56WIVJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRUGQ2DMMRXGI>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
…________________________________
DISCLAIMER:
Aan dit bericht kunnen geen rechten worden ontleend. Dit bericht is uitsluitend bestemd voor de geadresseerde. Als u dit bericht per abuis hebt ontvangen, wordt u verzocht het te vernietigen en de afzender te informeren. Wij adviseren u om bij twijfel over de juistheid of de volledigheid van de e-mail contact met de afzender op te nemen.
Nothing in this email shall bind LINKIT in any contract or obligation. This e-mail is for the intended addressee only. If you have received it in error then please delete it and notify the sender by return e-mail. In case of doubt about correctness or completeness of this e-mail please contact the sender.
|
There are no pictures in your message. I think GitHub discarded them. |
Another try..
Met vriendelijke groet / kind regards,
[Logo]<https://www.linkit.nl/>
Dick van Straaten
Contact me on ***@***.***>
From: Aurelien Gateau ***@***.***>
Sent: Thursday, 19 October 2023 10:22
To: GitGuardian/ggshield ***@***.***>
Cc: Dick van Straaten ***@***.***>; Author ***@***.***>
Subject: Re: [GitGuardian/ggshield] Add XML output with common schema (Issue #772)
Normally our scan and/or test results are collected and published in Azure DevOps like shown in the picture below.
There are no pictures in your message. I think GitHub discarded them.
—
Reply to this email directly, view it on GitHub<#772 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEDBKF6QNHX7DL7XF3XTKELYADPKLAVCNFSM6AAAAAA56WIVJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZQGMYDKNZRHA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
…________________________________
DISCLAIMER:
Aan dit bericht kunnen geen rechten worden ontleend. Dit bericht is uitsluitend bestemd voor de geadresseerde. Als u dit bericht per abuis hebt ontvangen, wordt u verzocht het te vernietigen en de afzender te informeren. Wij adviseren u om bij twijfel over de juistheid of de volledigheid van de e-mail contact met de afzender op te nemen.
Nothing in this email shall bind LINKIT in any contract or obligation. This e-mail is for the intended addressee only. If you have received it in error then please delete it and notify the sender by return e-mail. In case of doubt about correctness or completeness of this e-mail please contact the sender.
|
Still no picture 😞. I think you need to use the web interface to attach them. |
Thanks for the pictures, I can see them now. I still believe there is more value in adding SARIF support than in shoehorning ggshield outputs in a unit-test output format. It is not clear to me how to turn a found secret or an IaC rule violation into a failed test. Since Microsoft is one of of the creators of SARIF I think it's safe to assume the Azure extension is going to be correctly supported. |
Is your feature request related to a problem? Please describe.
I tested ggshield in an Azure DevOps pipeline. The pipeline fails when secrets are detected. I need to assess the output to find out where the issues occur, which is not user friendly.
Currently, when secrets are detected, I automatically create a BUG on the backlog with the JSON output as attachment. But also the JSON file is hard to read/assess.
Describe the solution you'd like
Currently the output off ggshield is TXT or JSON. If I could choose a XML output which uses a standard test schema (JUnit/NUnit/XUnit/CTest/VSTest) I could publish the results to the "Test and coverage" section in the pipeline result summary, which would make the output more accesible a/o user friendly.
Describe alternatives you've considered
The alternative is to scan the code with SonarQube. SonarQube provides a Azure DevOps task to publish the report to the pipeline result summary.
Additional context
na
The text was updated successfully, but these errors were encountered: