code-security-report
A tool for analyzing the reports generated by various code security scanning tools (i.e. Snyk, Trivy). It is inspired by and designed for Github Action Workflow integration.
Supported Report Type
- Snyk
- Trivy
How to develop?
Build image locally
make image
Bump version
./dev.sh bump_version
Examples in Github Action Workflow
1. Get summary
- name: Analyse the js result
if: >-
github.ref == 'refs/heads/main' ||
github.ref== 'refs/heads/master'
id: set-matrix
run: |
result=$(docker run --rm -v /home/runner/work/repo:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
echo "js_result=${result}" >> $GITHUB_OUTPUT
2. Diff two reports
- name: Analyse the go diff result
if: >-
github.ref != 'refs/heads/main' &&
github.ref != 'refs/heads/master'
id: set-diff-matrix
run: |
result=$(docker run --rm -v /home/runner/work/repo:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" -output-type=matrix)
echo "js_diff_result=${result}" >> $GITHUB_OUTPUT
3. Export summary result
- name: Export scan result to html file
run: |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result")
- name: Upload go result html file
uses: actions/upload-artifact@v3
with:
name: html-go-result-${{github.run_id}}
path: go-result.html
4. Export diff result
- name: Export scan result to html file
run: |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")
- name: Upload go result html file
uses: actions/upload-artifact@v3
with:
name: html-go-result-compare-to-develop-${{github.run_id}}
path: go-result.html
Examples in CLI
1. Get summary of the report
./code-security-report summary --report-type=snyk --path="./snyk-feature.json" --output-type=matrix
Output:
[
{
"ScannedObjects": 365,
"SeverityStat": {
"critical": 0,
"high": 3,
"medium": 0,
"low": 0,
"unknown": 0
},
"total": 3,
"FixableSeverityStat": {
"critical": 0,
"high": 2,
"medium": 0,
"low": 0,
"unknown": 0
},
"Languages": [
"js"
],
"summary": "Tested 365 dependencies for known issues. Severity Statistic: High:3 ",
"status": "success"
}
]
2. Compare two reports
./code-security-report diff --report-type=snyk --path="./snyk-feature.json" --compare-to="./snyk-develop.json" --output-type=matrix
Output:
[
{
"Base": {
"ScannedObjects": 426,
"SeverityStat": {
"critical": 0,
"high": 2,
"medium": 6,
"low": 0,
"unknown": 0
},
"total": 8,
"FixableSeverityStat": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 0,
"unknown": 0
},
"Languages": [
"js"
],
"summary": "Tested 426 dependencies for known issues. Severity Statistic: High:2 Medium:6 ",
"status": "success"
},
"Fixed": {
"ScannedObjects": 0,
"SeverityStat": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"unknown": 0
},
"total": 0,
"FixableSeverityStat": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"unknown": 0
},
"Languages": null,
"summary": "Tested 450 dependencies for known issues. Severity Statistic: Nothing found",
"status": ""
},
"NewFound": {
"ScannedObjects": 0,
"SeverityStat": {
"critical": 0,
"high": 0,
"medium": 3,
"low": 0,
"unknown": 0
},
"total": 3,
"FixableSeverityStat": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"unknown": 0
},
"Languages": null,
"summary": "Tested 450 dependencies for known issues. Severity Statistic: Medium:3 ",
"status": ""
},
"Summary": "Base summary:Tested 426 dependencies for known issues. Severity Statistic: High:2 Medium:6 | Fixed summary:Tested 450 dependencies for known issues. Severity Statistic: Nothing found | New found summary:Tested 450 dependencies for known issues. Severity Statistic: Medium:3 .",
"Status": "failure"
}
]
3. Export the summary
report
./code-security-report summary --report-type=snyk --path="./fixtures/snyk-feature.json" --export --output-type=table --export-filename="snyk-summary"
4. Export the diff
report
./code-security-report diff --report-type=snyk --path="./fixtures/snyk-feature.json" --compare-to="./fixtures/snyk-develop.json" --output-type=table --export
5. Debug with inspect
command
docker run --rm -v $PWD/fixtures:/data portainerci/code-security-report:latest inspect --target-dir=/data
6. Check version
./code-security-report version
Examples with docker
1. Run with docker container
docker run --rm -v $PWD/fixtures:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json"
2. Export with docker container
docker run --rm -v $PWD/fixtures:/data portainerci/code-security-report:latest diff --report-type=snyk --path="./data/snyk-feature.json" --compare-to="./data/snyk-develop.json" --output-type=table --export --export-filename="./data/snyk-diff"
Command detail
./code-security-report help