Convert Security Scanner Output to JUnit Format
Project description
SecScanner2JUnit
GitLab offers security scanning and visualization directly via and on their platform.
One nice feature is direct insights on merge requests. However, this feature is only available with the Ultimate tier. To also use this feature on the free tier, one can build around it by taking the security tool output, converting it to the JUnit format, and uploading it as JUnit report.
To summarize, this tool is for you if:
- You use GitLab's free tier
- You use Gitlabs security templates
- You want to easily access security tool output in merge requests
If you are on the GitLabs Ultimate tier, just use their tooling! No need to mess up your .gitlab-ci.yml
file. :smile:
Which scanning types are supported?
All scanning types available under the free tier:
- Secret Scanning
- Static Application Security Testing
- Infrastructure as Code Scanning
How to use?
Procedure:
- Overwrite the existing job so that the report can be used by future jobs.
- Convert report
- Upload converted report as junit report
Example for Secret Scanning
This example can be used as is.
stages:
- test
- convert
- include:
- template: Security/Secret-Detection.gitlab-ci.yml
secret_detection:
artifacts:
paths:
- gl-secret-detection-report.json
when: always
secret_convert:
stage: convert
dependencies:
- secret_detection
script:
- pip3 install SecScanner2JUnit
- ss2ju secrets gl-secret-detection-report.json gl-secret-detection-report.xml
artifacts:
reports:
junit: gl-secret-detection-report.xml
Example for SAST
Since GitLab decides dynamically which scanners to use depending on project languages, it makes sense to first perform a testrun only including the template. This way one can see which jobs are executed and then overwrite them.
stages:
- test
- convert
- include:
- template: Security/SAST.gitlab-ci.yml
semgrep-sast:
after_script:
- cp gl-sast-report.json gl-sast-semgrep-report.json
artifacts:
paths:
- gl-sast-semgrep-report.json
when: always
brakeman-sast:
after_script:
- cp gl-sast-report.json gl-sast-brakeman-report.json
artifacts:
paths:
- gl-sast-brakeman-report.json
when: always
semgrep-sast-convert:
stage: convert
dependencies:
- semgrep-sast
script:
- pip3 install SecScanner2JUnit
- ss2ju sast gl-sast-semgrep-report.json gl-sast-semgrep-report.xml
artifacts:
reports:
junit: gl-sast-semgrep-report.xml
brakeman-sast-convert:
stage: convert
dependencies:
- brakeman-sast
script:
- pip3 install SecScanner2JUnit
- ss2ju sast gl-sast-brakeman-report.json gl-sast-brakeman-report.xml
artifacts:
reports:
junit: gl-sast-brakeman-report.xml
Future Plans
- Implement IaC Scanning
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for secscanner2junit-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a38af4e14d90e7ceb1b4d7e7029996a53e6bb0ca60f772f999ca085cc5b89209 |
|
MD5 | 7150bb14d756a04a10fac10b8f60975f |
|
BLAKE2b-256 | 78b550b09da6bf1780a0b3b3121d2c26ae3929123c2edff293b44bdcd2ced516 |