A library to produce a SARIF log file from a NowSecure Platform assessment.
The output includes the security-severity property in the rules to display severities in GitHub Code Scans
- An active NowSecure Platform account is required to generate the input data. If you are not an existing NowSecure Platform customer, please contact us.
- ripgrep is required for line-number identification.
async function convertToSarif(
assessment: Assessment,
filter: Filter = DEFAULT_FILTER,
codePath = "./",
keyParams: KeyParams = DEFAULT_KEY_PARAMS,
labUrl: string = DEFAULT_LAB_UI_URL,
errorLog?: (text: string) => void
): Promise<Log> {assessment: The assessment data from Platform, retrieved via a call topollForReportorfetchAssessmentin the@nowsecure/platform-liblibraryfilter: Controls which findings are included in the report. The default value includes all findings ofmediumor higher severitycodePath: Location of the codebase for code scanning to obtain line number information. Can be falsy to disable scanning.keyParams: Controls the derivation of the Rule ID. The default is to include the package name and platform in the derivation functionlabUrl: URL of the Platform UI server, used to construct links from the SARIF report to the findings on PlatformerrorLog: Callback to log errors in the process.
async function createSarifLogFile(
nsClient: NowSecureClient,
reportId: string,
outPath: string
) {
// pull the report from platform
const assessment = await pollForReport(nsClient, reportId);
// Convert to SARIF and save e.g. for upload to GitHub
const sarifLog = await convertToSarif(assessment);
await fs.promises.writeFile(outPath, JSON.stringify(sarifLog));
}This project is released under the MIT License.
NowSecure Platform has separate Terms and Conditions and requires a valid license to function.