Skip to content

Instantly share code, notes, and snippets.

@rdkls

rdkls/tfsec-json-to-gitlab-sast-report.py

Last active September 6, 2023 18:52
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rdkls/77037467ea5c825472aaff7e23f3af00 to your computer and use it in GitHub Desktop.
Save rdkls/77037467ea5c825472aaff7e23f3af00 to your computer and use it in GitHub Desktop.
Download ZIP
python script to convert tfsec json output into gitlab sast report, will get parsed by gitlab and result in vulnerabilities being visible/manageable in gitlab vuln management interface
Raw
tfsec-json-to-gitlab-sast-report.py
#!/usr/bin/env python3
import sys
import datetime
import json
import uuid
'''
# Description
Convert tfsec json output to gitlab sast json format
TFSec https://github.com/aquasecurity/tfsec
Gitlab spec https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json
# Usage
Gitlab pipeline like so:
tfsec:
stage: test
image: aquasec/tfsec-ci
allow_failure: true
script:
- tfsec --format=json --soft-fail --out tfsec-sast-report.json
artifacts:
when: always
paths:
- tfsec-sast-report.json
tfsec convert:
stage: test
image: python:3.9
needs: [tfsec]
script:
- python3 ./tfsec-json-to-gitlab-sast-report.py ./tfsec-sast-report.json > gitlab-sast-report.json
artifacts:
paths:
- gitlab-sast-report.json
reports:
sast: gitlab-sast-report.json
'''
def convert_tfsec_to_gitlab(tfsec_results):
# Initialize an empty list for gitlab vulnerabilities
gitlab_vulnerabilities = []
for result in tfsec_results:
# Create a dictionary for each gitlab vulnerability
gitlab_vulnerability = {}
gitlab_vulnerability["id"] = str(uuid.uuid4())
gitlab_vulnerability["category"] = "sast"
gitlab_vulnerability["message"] = result["rule_description"]
gitlab_vulnerability["description"] = result["description"]
gitlab_vulnerability["cve"] = ""
gitlab_vulnerability["severity"] = result["severity"].title()
gitlab_vulnerability["scanner"] = {
"id": "tfsec",
"name": "tfsec"
}
gitlab_vulnerability["location"] = {
"file": result["location"]["filename"],
"start_line": result["location"]["start_line"],
"end_line": result["location"]["end_line"]
}
gitlab_vulnerability["identifiers"] = [
{
"type": "tfsec_id",
"name": result["long_id"],
"value": result["rule_id"],
# Set the url to the first link in the links list
"url": result["links"][0]
}
]
gitlab_vulnerabilities.append(gitlab_vulnerability)
return gitlab_vulnerabilities
def write_gitlab_format(gitlab_vulnerabilities):
gitlab_format = {}
gitlab_format["version"] = "15.0.6"
gitlab_format["vulnerabilities"] = gitlab_vulnerabilities
gitlab_format["scan"] = {
"analyzer": {
"id": "tfsec",
"name": "tfsec",
"url": "https://github.com/aquasecurity/tfsec",
"vendor": {
"name": "Aqua"
},
"version": "v1.28.1"
},
"scanner": {
"id": "tfsec",
"name": "tfsec",
"url": "https://github.com/aquasecurity/tfsec",
"vendor": {
"name": "Aqua"
},
"version": "v1.28.1"
},
"type": "sast",
"start_time": datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S"), #json.dumps(json.loads(json.dumps({"time": None}))['time'], default=str),
"end_time": datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S"),
"status": "success"
}
print(json.dumps(gitlab_format, indent=2))
def read_tfsec_report(filename):
with open(filename, 'r') as f:
tfsec_report = json.load(f)
return tfsec_report
def convert_tfsec_report_file_to_gitlab_format(filename):
tfsec_report = read_tfsec_report(filename)
tfsec_results = tfsec_report["results"]
gitlab_vulnerabilities = convert_tfsec_to_gitlab(tfsec_results)
write_gitlab_format(gitlab_vulnerabilities)
if len(sys.argv) == 2:
filename = sys.argv[1]
convert_tfsec_report_file_to_gitlab_format(filename)
else:
print("Usage: python tfsec-json-to-gitlab-sast-report.py <filename>")
sys.exit(1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment