-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add sarif report option to zap-baseline #8005
Conversation
I'm not sure this is the right way to go about this. We intend to replace the packaged scans with Automation Framework functionality. To address the DCO requirement you'll need to sign-off the commit(s): |
Would the move be into the new af action? Wondering if there was a known timeline / if we should be rolling our own dictions in the meantime to just leverage zap.sh running with AF configuration |
Ref #7659 |
@thc202 If the plan has been to move to AF then where is the path forward? I dont see any movement on the af-action repo and just want some improvement for the zap-baseline scans that some of us are using. If there is a desire to move away from the packaged scans can there be some official language added to the support docs to say that this is going to be deprecated and the maintainers have no interest in making updates to fix issues? |
We have been a bit busy recently 😁 |
@psiinon Are there any open issues that members of the community can assist with? I'd personally like to see this project continue to improve and would love to accelerate any of the dev thats keeping you guys bogged down. |
What's the plan? Why can't we merge this it's not a big change and add the capability to generate sarif? |
Because its probably not the direction we want to go in. |
I'm really having issues understanding the documentation. On one side SARIF is already there and we should be able to export in that format while on the other end it doesn't work. Right now I'm using the zap docker container and want to generate the SARIF json report via zap API, is there a way? |
Yes, there is but https://groups.google.com/g/zaproxy-users is a more appropriate place for usage questions. |
In what way? As for report generation via the API check: |
You will find the AF much easier to use than the API. For more help ask on the ZAP User Group. |
Closing because we do not want to kee adding more and more options to the packaged scans. |
Part of the required work to officially support Code Scanning integration with
action-baseline
Original Issue: zaproxy/action-baseline#63
Will require a change to the
action-baseline
as well totouch
the right files (see PR here for that change)NOTE: hacked together to just get it to work so there are issues with
.json
being added to the report name, etc. This PR is just to demonstrate where the changes should be made to add sarif support