Add Support for SARIF Format Output in Standalone Mode #290
Comments
|
Hey @farsheedify , that's a good idea! We've wanted to improve the standalone checker for some time, but we are blocked by golang/go#61324 for us to apply more custom logic in a clean way. We can try to hack the standard analyzer driver further, but at this point I would actually recommend using other more production-ready drivers like golangci-lint (instructions), which seems to have support for SARIF format output out of the box. Keeping this issue open to track our progress on enhancing (in a hackery way) the standalone checker (PRs welcome!) |
|
Thanks @yuxincs for your reply. |
We are currently integrating NilAway into our GitLab CI pipelines as part of our DevSecOps framework. While we upload scan results from other tools to a centralized dashboard (DefectDojo), NilAway results are not yet included.
It would be highly beneficial to have a SARIF ourput, and upload NilAway results to DefectDojo (or any other issue management dashboard) alongside other tools to:
The second benefit is particularly important because we currently lack a method to exclude specific lines of code, including false positive nil panic reports. Using an issue management tool would allow us to handle these exclusions more efficiently.
Currently, we output NilAway results in JSON format and upload them to our job artifacts for developers to review post-scan. However, in a continuous development environment, this approach becomes cumbersome due to the repetitive review of duplicate or false positive reports each time the pipeline runs.
The text was updated successfully, but these errors were encountered: