Skip to content

jduimovich/crda-sarif-poc

Repository files navigation

Code Ready Dependency Analytics CLI with conversion to Sarif Action

CI

This Action uses the CRDA CLI to scan a file for dependency vulnerabilities and upload to the Github Security Scanning Facility.

The CRDA CLI produces a json format which contains a detailed list of any dependencies with vulnerabilties. In order to use this with the GitHub security scan support, a converter creates a Sarif file for uploaded using github/codeql-action/upload-sarif@v1. To learn more see https://docs.github.com/en/code-security/secure-coding/sarif-support-for-code-scanning.

Issues Found

The status of this action is PoC.

Sample usage is below. In order to get a full scan, a SNYK_TOKEN is required to use this action.

The output file defaults to output.sarif but can be changed by the user.

name: CI
on: [push]  
jobs:
  test:
    runs-on: ubuntu-latest
    name: Run CRDA and Convert to Sarif
    steps: 
      - name: Checkout
        uses: actions/checkout@v2 
      - name: Run CRDA and Convert to Sarif
        uses: jduimovich/crda-sarif-poc@main 
        with:
          input-file-name: package.json
          snyk-token: ${{ secrets.SNYK_TOKEN }}
          output-file-name: output.sarif
      - name: CRDA Sarif View
        run: |  
          cat output.sarif  | jq 
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: output.sarif 

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published