From 5f2d8eb093332a1958fbb2ec34b68efe01709802 Mon Sep 17 00:00:00 2001 From: Daniele Santos Date: Fri, 8 Jul 2022 15:35:06 -0400 Subject: [PATCH] supports sarif flag to output the desired format --- README.md | 3 +++ cmd/commands/root.go | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index f5ee9fd4..9c688cfa 100644 --- a/README.md +++ b/README.md @@ -175,6 +175,8 @@ The minimum severity level can be set using the `--minSeverity/-m` flag. By default kubeaudit will output results in a human-readable way. If the output is intended to be further processed, it can be set to output JSON using the `--format json` flag. To output results as logs (the previous default) use `--format logrus`. Some output formats include colors to make results easier to read in a terminal. To disable colors (for example, if you are sending output to a text file), you can use the `--no-color` flag. +You can generate a kubeaudit report in [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html) and write it to a file by using the `-s/--sarif` flag. + If there are results of severity level `error`, kubeaudit will exit with exit code 2. This can be changed using the `--exitcode/-e` flag. For all the ways kubeaudit can be customized, see [Global Flags](#global-flags). @@ -221,6 +223,7 @@ Auditors can also be run individually. | -m | --minseverity | Set the lowest severity level to report (one of "error", "warning", "info") (default is "info") | | -e | --exitcode | Exit code to use if there are results with severity of "error". Conventionally, 0 is used for success and all non-zero codes for an error. (default is 2) | | | --no-color | Don't use colors in the output (default is false) | +| -s | --sarif | The file location to save the SARIF output | ## Configuration File diff --git a/cmd/commands/root.go b/cmd/commands/root.go index 91fbc120..29140c84 100644 --- a/cmd/commands/root.go +++ b/cmd/commands/root.go @@ -12,12 +12,14 @@ import ( "github.com/Shopify/kubeaudit/auditors/all" "github.com/Shopify/kubeaudit/config" "github.com/Shopify/kubeaudit/internal/k8sinternal" + "github.com/Shopify/kubeaudit/internal/sarif" ) var rootConfig rootFlags type rootFlags struct { format string + sarifOut string kubeConfig string context string manifest string @@ -53,6 +55,7 @@ func init() { RootCmd.PersistentFlags().StringVarP(&rootConfig.context, "context", "c", "", "The name of the kubeconfig context to use") RootCmd.PersistentFlags().StringVarP(&rootConfig.minSeverity, "minseverity", "m", "info", "Set the lowest severity level to report (one of \"error\", \"warning\", \"info\")") RootCmd.PersistentFlags().StringVarP(&rootConfig.format, "format", "p", "pretty", "The output format to use (one of \"pretty\", \"logrus\", \"json\")") + RootCmd.PersistentFlags().StringVarP(&rootConfig.sarifOut, "sarif", "s", "", "The path to output sarif report to") RootCmd.PersistentFlags().StringVarP(&rootConfig.namespace, "namespace", "n", apiv1.NamespaceAll, "Only audit resources in the specified namespace. Not currently supported in manifest mode.") RootCmd.PersistentFlags().BoolVarP(&rootConfig.includeGenerated, "includegenerated", "g", false, "Include generated resources in scan (eg. pods generated by deployments).") RootCmd.PersistentFlags().BoolVar(&rootConfig.noColor, "no-color", false, "Don't produce colored output.") @@ -77,6 +80,13 @@ func runAudit(auditable ...kubeaudit.Auditable) func(cmd *cobra.Command, args [] kubeaudit.WithColor(!rootConfig.noColor), } + if rootConfig.sarifOut != "" { + sarifReport, sarifRun := sarif.CreateSarifReport() + sarif.AddSarifRules(report, sarifRun) + sarif.AddSarifResult(report, sarifRun) + sarifReport.WriteFile(rootConfig.sarifOut) + } + switch rootConfig.format { case "json": printOptions = append(printOptions, kubeaudit.WithFormatter(&log.JSONFormatter{}))