Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

CICD SARIF Output

Anthony | Last updated: Jul 26, 2021 09:51PM UTC

The generic driver can already be wrapped by a Github action and be made to kick off scans on repo push or other events. However the current output options are not developer friendly in that it requires digging on their part. Github has the ability to ingest SARIF output from third party tooling to nicely display security alerts in the repo security dashboard. I think this would be a nice addition to enterprise that would likely drive some sales.

James, PortSwigger Agent | Last updated: Jul 27, 2021 03:03PM UTC

Hi Anthony, Thank you for the feature suggestion. I have added this request for our development team. They will take a look when considering additional integrations. You will be notified if this request is included in a future release. Have a good day.

Jose | Last updated: May 11, 2022 03:25PM UTC

Hi, Jose from GitHub here if we can help with the SARIF onboarding please let us know. We have a helpful guide here for integrating DAST/SAST tools with GitHub as Anthony describes: https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning.html

James, PortSwigger Agent | Last updated: May 11, 2022 03:30PM UTC

Hi Jose, Many thanks for reaching out and offering your help. I have passed this across to our development team.

Charlton | Last updated: Jul 10, 2023 06:58PM UTC

Hello all, I'm pleased to report that this is now possible. I've implemented a wrapper around the base Dastardly action that converts its JUnit XML output to SARIF, and uploads the resulting report to GitHub's Code Scanning. You can find the action in the following repo: https://github.com/chtzvt/dastardly

You need to Log in to post a reply. Or register here, for free.