supports sarif flag to output the desired format

Shopify · Jul 8, 2022 · 5f2d8eb · 5f2d8eb
1 parent 4ab8f74
commit 5f2d8eb
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -175,6 +175,8 @@ The minimum severity level can be set using the `--minSeverity/-m` flag.
 
 By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the `--format json` flag. To output results as logs (the previous default) use `--format logrus`. Some output formats include colors to make results easier to read in a terminal. To disable colors (for example, if you are sending output to a text file), you can use the `--no-color` flag.
 
+You can generate a kubeaudit report in [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html) and write it to a file by using the `-s/--sarif` flag.
+
 If there are results of severity level `error`, kubeaudit will exit with exit code 2. This can be changed using the `--exitcode/-e` flag.
 
 For all the ways kubeaudit can be customized, see [Global Flags](#global-flags).
@@ -221,6 +223,7 @@ Auditors can also be run individually.
 | -m    | --minseverity      | Set the lowest severity level to report (one of "error", "warning", "info") (default is "info")                                                           |
 | -e    | --exitcode         | Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default is 2) |
 |       | --no-color         | Don't use colors in the output (default is false) |
+| -s    | --sarif            | The file location to save the SARIF output |
 
 ## Configuration File
 

diff --git a/cmd/commands/root.go b/cmd/commands/root.go
@@ -12,12 +12,14 @@ import (
 	"github.com/Shopify/kubeaudit/auditors/all"
 	"github.com/Shopify/kubeaudit/config"
 	"github.com/Shopify/kubeaudit/internal/k8sinternal"
+	"github.com/Shopify/kubeaudit/internal/sarif"
 )
 
 var rootConfig rootFlags
 
 type rootFlags struct {
 	format           string
+	sarifOut         string
 	kubeConfig       string
 	context          string
 	manifest         string
@@ -53,6 +55,7 @@ func init() {
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.context, "context", "c", "", "The name of the kubeconfig context to use")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.minSeverity, "minseverity", "m", "info", "Set the lowest severity level to report (one of \"error\", \"warning\", \"info\")")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.format, "format", "p", "pretty", "The output format to use (one of \"pretty\", \"logrus\", \"json\")")
+	RootCmd.PersistentFlags().StringVarP(&rootConfig.sarifOut, "sarif", "s", "", "The path to output sarif report to")
 	RootCmd.PersistentFlags().StringVarP(&rootConfig.namespace, "namespace", "n", apiv1.NamespaceAll, "Only audit resources in the specified namespace. Not currently supported in manifest mode.")
 	RootCmd.PersistentFlags().BoolVarP(&rootConfig.includeGenerated, "includegenerated", "g", false, "Include generated resources in scan  (eg. pods generated by deployments).")
 	RootCmd.PersistentFlags().BoolVar(&rootConfig.noColor, "no-color", false, "Don't produce colored output.")
@@ -77,6 +80,13 @@ func runAudit(auditable ...kubeaudit.Auditable) func(cmd *cobra.Command, args []
 			kubeaudit.WithColor(!rootConfig.noColor),
 		}
 
+		if rootConfig.sarifOut != "" {
+			sarifReport, sarifRun := sarif.CreateSarifReport()
+			sarif.AddSarifRules(report, sarifRun)
+			sarif.AddSarifResult(report, sarifRun)
+			sarifReport.WriteFile(rootConfig.sarifOut)
+		}
+
 		switch rootConfig.format {
 		case "json":
 			printOptions = append(printOptions, kubeaudit.WithFormatter(&log.JSONFormatter{}))