WIP. Converts Azure Container Scan Action output to SARIF, for an easier integration with GitHub Code Scanning

container-scan-to-sarif

Build Go Report Card Release

container-scan-to-sarif converts Azure Container Scan Action output to Static Analysis Results Interchange Format (SARIF), for an easier integration with GitHub Code Scanning.

Rationale

The Azure Container Scan Action combines both Trivy and Dockle tools to scan container images for common vulnerabilities (CVEs) and best practices violations. It also provides with the ability to ignore some checks if needed, via an allowedlist.yaml file.

This is all great, but the resulting output is a non-standard JSON file, which, at this time, can only be uploaded as a build artifact, making it hard to read the report or integrate with other tools.

On the other hand, GitHub Code Scanning integrates very well with external tools that are able to produce Static Analysis Results Interchange Format (SARIF) reports, so users can navigate their reports in the nice "Code Scanning Alerts" interface.

This is where container-scan-to-sarif comes into play, by bridging the gap between Container Scan and GitHub Code Scanning.

It also started as a learning exercise for myself to use Golang in practice.

Installation

You can download the latest release of container-scan-to-sarif.

Or, from the sources:

go install github.com/rm3l/container-scan-to-sarif@latest

Usage

Container image

Container images for container-scan-to-sarif are pushed to GitHub Packages. You can therefore run it with Docker, by mounting your Container Scan output inside the container, like so:

docker container run --rm \
  -v /path/to/my/container-scan-report.json:/data/scanreport.json \
  -t ghcr.io/rm3l/container-scan-to-sarif

CLI

container-scan-to-sarif --help

Usage of container-scan-to-sarif:
  -input string
        Path to the Azure Container Scan JSON Report (default "./scanreport.json")
  -output string
        Path to the SARIF output file. Default output is STDOUT

Building from source

Once you have cloned this repo, you can build container-scan-to-sarif with the command below:

# Build
go build

# The executable can the be found here: ./container-scan-to-sarif
./container-scan-to-sarif --help

Contribution Guidelines

Contributions and issue reporting are more than welcome. So to help out, do feel free to fork this repo and open up a pull request. I'll review and merge your changes as quickly as possible.

You can use GitHub issues to report bugs. However, please make sure your description is clear enough and has sufficient instructions to be able to reproduce the issue.

Developed by

License

The MIT License (MIT)

Copyright (c) 2021 Armel Soro

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Owner
Armel Soro
Tech Lead. Open-Source and Distributed Systems Enthusiast.
Armel Soro
https://github.com/rm3l/container-scan-to-sarif
Comments
  • Creates invalid SARIF file if container scan returns no results

    Creates invalid SARIF file if container scan returns no results

    When container scan doesn't find any vulnerabilities the resulting SARIF file has result set to null:

    {
  "version": "2.1.0",
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "container-scan",
          "informationUri": "https://github.com/Azure/container-scan",
          "fullName": "Container Scan",
          "version": "0.1",
          "rules": []
        },
        "extensions": [
          {
            "name": "Trivy",
            "version": "latest"
          },
          {
            "name": "Dockle",
            "version": "latest"
          }
        ]
      },
      "results": null
    }
  ]
}

    The upload-sarif action expects an array in this case and fails with an error:

    instance.runs[0].results is not of a type(s) array
  • Bump github.com/google/go-cmp from 0.5.6 to 0.5.7

    Bump github.com/google/go-cmp from 0.5.6 to 0.5.7

    Bumps github.com/google/go-cmp from 0.5.6 to 0.5.7.

    Release notes

    Sourced from github.com/google/go-cmp's releases.

    v0.5.7

    Reporter changes:

    • (#266) Fix textual printing of byte slices
    • (#275) Reduce minimum length for specialize string diffing
    • (#276) Use any alias instead of interface{}

    Code cleanup changes:

    • (#281) Update minimum supported version to go1.11
    • (#282) Drop hacks to work around Go reflection bugs in Go1.9
    • (#285) Add //go:build lines
    • (#262) Fix staticcheck findings
    • (#263) Avoid shadowing variable
    • (#268) Use sha256 in test
    • (#271) Fix spelling mistakes
    • (#269) Change build status badge
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump docker/login-action from 1.10.0 to 1.12.0

    Bump docker/login-action from 1.10.0 to 1.12.0

    Bumps docker/login-action from 1.10.0 to 1.12.0.

    Release notes

    Sourced from docker/login-action's releases.

    v1.12.0

    • ECR: only set credentials if username and password are specified (#128)
    • Refactor to use aws-sdk v3 (#128)

    v1.11.0

    • ECR: switch implementation to use the AWS SDK (#126)
    • ecr input to specify whether the given registry is ECR (#123)
    • Test against Windows runner (#126)
    • Update instructions for Google registry (#127)
    • Update dev workflow (#111)
    • Small changes for GHCR doc (#86)
    • Update dev dependencies (#85)
    • Bump ansi-regex from 5.0.0 to 5.0.1 (#101)
    • Bump tmpl from 1.0.4 to 1.0.5 (#100)
    • Bump @​actions/core from 1.4.0 to 1.6.0 (#94 #103)
    • Bump codecov/codecov-action from 1 to 2 (#88)
    • Bump hosted-git-info from 2.8.8 to 2.8.9 (#83)
    • Bump node-notifier from 8.0.0 to 8.0.2 (#82)
    • Bump ws from 7.3.1 to 7.5.0 (#81)
    • Bump lodash from 4.17.20 to 4.17.21 (#80)
    • Bump y18n from 4.0.0 to 4.0.3 (#79)
    Commits
    • 42d299f Merge pull request #130 from crazy-max/ci-workflow
    • 4858b0b Update ci workflow
    • 1d7d864 Merge pull request #128 from Flydiverny/aws-sdk-v3
    • 5885569 refactor: use v3 sdk
    • d9927c4 Merge pull request #123 from crazy-max/ecr-input
    • b9a4d91 ecr input to specify whether the given registry is ECR
    • b20b9f5 Merge pull request #126 from crazy-max/aws-sdk
    • cb21399 ci: test against windows runner
    • faae4d6 ecr: switch implementation to use the AWS SDK
    • 4d84a3c Merge pull request #127 from crazy-max/carry-124
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump goreleaser/goreleaser-action from 3 to 4

    Bump goreleaser/goreleaser-action from 3 to 4

    Bumps goreleaser/goreleaser-action from 3 to 4.

    Release notes

    Sourced from goreleaser/goreleaser-action's releases.

    v4.0.0

    What's Changed

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v3...v4.0.0

    v3.2.0

    What's Changed

    • chore: remove workaround for setOutput by @​crazy-max (#374)
    • chore(deps): bump @​actions/core from 1.9.1 to 1.10.0 (#372)
    • chore(deps): bump yargs from 17.5.1 to 17.6.0 (#373)

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v3.1.0...v3.2.0

    v3.1.0

    What's Changed

    • fix: dist resolution from config file by @​crazy-max (#369)
    • ci: fix workflow by @​crazy-max (#357)
    • docs: bump actions to latest major by @​crazy-max (#356)
    • chore(deps): bump crazy-max/ghaction-import-gpg from 4 to 5 (#360)
    • chore(deps): bump ghaction-import-gpg to v5 (#359)
    • chore(deps): bump @​actions/core from 1.6.0 to 1.8.2 (#358)
    • chore(deps): bump @​actions/core from 1.8.2 to 1.9.1 (#367)

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v3.0.0...v3.1.0

    Commits
    • 8f67e59 chore: regenerate
    • 78df308 chore(deps): bump minimatch from 3.0.4 to 3.1.2 (#383)
    • 66134d9 Merge remote-tracking branch 'origin/master' into flarco/master
    • 3c08cfd chore(deps): bump yargs from 17.6.0 to 17.6.2
    • 5dc579b docs: add example when using workdir along with upload-artifact (#366)
    • 3b7d1ba feat!: remove auto-snapshot on dirty tag (#382)
    • 23e0ed5 fix: do not override GORELEASER_CURRENT_TAG (#370)
    • 1315dab update build
    • b60ea88 improve install
    • 4d25ab4 Update goreleaser.ts
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1

    Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1

    Bumps golangci/golangci-lint-action from 3.3.0 to 3.3.1.

    Release notes

    Sourced from golangci/golangci-lint-action's releases.

    v3.3.1

    What's Changed

    Full Changelog: https://github.com/golangci/golangci-lint-action/compare/v3...v3.3.1

    Commits
    • 0ad9a09 build(deps-dev): bump @​typescript-eslint/parser from 5.41.0 to 5.42.0 (#599)
    • 235ea57 build(deps-dev): bump eslint from 8.26.0 to 8.27.0 (#598)
    • a6ed001 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 5.41.0 to 5.42.0 ...
    • 3a7156a build(deps-dev): bump @​typescript-eslint/parser from 5.40.1 to 5.41.0 (#596)
    • 481f8ba build(deps): bump @​types/semver from 7.3.12 to 7.3.13 (#595)
    • 06edb37 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 5.40.1 to 5.41.0 ...
    • c2f79a7 build(deps): bump @​actions/cache from 3.0.5 to 3.0.6 (#593)
    • d6eac69 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 5.40.0 to 5.40.1 ...
    • 7268434 build(deps-dev): bump eslint from 8.25.0 to 8.26.0 (#591)
    • a926e2b build(deps-dev): bump @​typescript-eslint/parser from 5.40.0 to 5.40.1 (#590)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golangci/golangci-lint-action from 3.2.0 to 3.3.0

    Bump golangci/golangci-lint-action from 3.2.0 to 3.3.0

    Bumps golangci/golangci-lint-action from 3.2.0 to 3.3.0.

    Commits
    • 07db538 build(deps): bump @​actions/cache from 3.0.4 to 3.0.5 (#586)
    • 328c000 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 5.39.0 to 5.40.0 ...
    • 3a79f8d build(deps-dev): bump @​typescript-eslint/parser from 5.39.0 to 5.40.0 (#584)
    • 43c645b build(deps-dev): bump eslint from 8.24.0 to 8.25.0 (#582)
    • 88e5fc6 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 5.38.1 to 5.39.0 ...
    • 6191de5 build(deps-dev): bump @​typescript-eslint/parser from 5.38.1 to 5.39.0 (#580)
    • 5423639 build(deps): bump @​actions/core from 1.9.1 to 1.10.0 (#578)
    • c225631 build(deps): bump @​actions/github from 5.1.0 to 5.1.1 (#576)
    • b81d829 build(deps-dev): bump typescript from 4.8.3 to 4.8.4 (#577)
    • 5b682fd build(deps-dev): bump @​typescript-eslint/parser from 5.38.0 to 5.38.1 (#575)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump docker/login-action from 2.0.0 to 2.1.0

    Bump docker/login-action from 2.0.0 to 2.1.0

    Bumps docker/login-action from 2.0.0 to 2.1.0.

    Release notes

    Sourced from docker/login-action's releases.

    v2.1.0

    What's Changed

    • Ensure AWS temp credentials are redacted in workflow logs by @​crazy-max (#275)
    • Bump @​actions/core from 1.6.0 to 1.10.0 (#252 #292)
    • Bump @​aws-sdk/client-ecr from 3.53.0 to 3.186.0 (#298)
    • Bump @​aws-sdk/client-ecr-public from 3.53.0 to 3.186.0 (#299)

    Full Changelog: https://github.com/docker/login-action/compare/v2.0.0...v2.1.0

    Commits
    • f4ef78c Merge pull request #299 from docker/dependabot/npm_and_yarn/aws-sdk/client-ec...
    • 9ad4ce3 Update generated content
    • 884eadd Bump @​aws-sdk/client-ecr-public from 3.53.0 to 3.186.0
    • a266232 Merge pull request #298 from docker/dependabot/npm_and_yarn/aws-sdk/client-ec...
    • f97efcf Update generated content
    • 5ae789b Bump @​aws-sdk/client-ecr from 3.53.0 to 3.186.0
    • 71c23b5 Merge pull request #292 from docker/dependabot/npm_and_yarn/actions/core-1.10.0
    • 6401d70 Update generated content
    • 67e8909 Bump @​actions/core from 1.9.1 to 1.10.0
    • 21f251a Merge pull request #275 from crazy-max/redact-aws-creds
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump to Go 1.19

    Bump to Go 1.19

    • chore: Bump to Go 1.19
    • chore: Update tools versions in .tool-versions
    • chore(CI): Leverage .tool-versions and asdf to install all runtime versions
    • chore: Remove useless 'go generate' step from GoReleaser config
  • Bump github.com/google/go-cmp from 0.5.8 to 0.5.9

    Bump github.com/google/go-cmp from 0.5.8 to 0.5.9

    Bumps github.com/google/go-cmp from 0.5.8 to 0.5.9.

    Release notes

    Sourced from github.com/google/go-cmp's releases.

    v0.5.9

    Reporter changes:

    • (#299) Adjust heuristic for line-based versus byte-based diffing
    • (#306) Use value.TypeString in PathStep.String

    Code cleanup changes:

    • (#297) Use reflect.Value.IsZero
    • (#304) Format with Go 1.19 formatter
    • (#300 )Fix typo in Result documentation
    • (#302) Pre-declare global type variables
    • (#309) Run tests on Go 1.19
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump goreleaser/goreleaser-action from 2 to 3

    Bump goreleaser/goreleaser-action from 2 to 3

    Bumps goreleaser/goreleaser-action from 2 to 3.

    Release notes

    Sourced from goreleaser/goreleaser-action's releases.

    v3.0.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2.9.1...v3.0.0

    v2.9.1

    What's Changed

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2...v2.9.1

    v2.9.0

    What's Changed

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2.8.1...v2.9.0

    v2.8.1

    What's Changed

    Full Changelog: https://github.com/goreleaser/goreleaser-action/compare/v2.8.0...v2.8.1

    v2.8.0

    What's Changed

    ... (truncated)

    Commits
    • 68acf3b chore(deps): bump @​actions/tool-cache from 1.7.2 to 2.0.1 (#355)
    • 46da113 chore: node 16 as default runtime (#343)
    • 223909a chore: update
    • c56d8df Revert "chore(deps): bump @​actions/core from 1.6.0 to 1.8.2 (#354)"
    • d1c2f83 chore(deps): bump @​actions/core from 1.6.0 to 1.8.2 (#354)
    • 5c65fd8 chore(deps): bump @​actions/http-client from 1.0.11 to 2.0.1 (#353)
    • 46cd12b chore(deps): bump yargs from 17.4.1 to 17.5.1 (#352)
    • 822d1bf chore(deps): bump docker/bake-action from 1 to 2 (#346)
    • c25888f chore: update dev dependencies and workflow (#342)
    • ec57748 chore(deps): bump yargs from 17.4.0 to 17.4.1 (#339)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0

    Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0

    Bumps golangci/golangci-lint-action from 3.1.0 to 3.2.0.

    Release notes

    Sourced from golangci/golangci-lint-action's releases.

    v3.2.0

    What's Changed

    misc

    dependencies

    New Contributors

    ... (truncated)

    Commits
    • 537aa19 Expire cache periodically to avoid unbounded size (#466)
    • f70e52d build(deps): bump @​actions/core from 1.6.0 to 1.8.0 (#468)
    • a304692 build(deps-dev): bump @​typescript-eslint/eslint-plugin (#469)
    • eeca7c5 build(deps-dev): bump eslint from 8.14.0 to 8.15.0 (#467)
    • dfbcd2a build(deps): bump github/codeql-action from 1 to 2 (#459)
    • 4421331 build(deps-dev): bump @​typescript-eslint/parser from 5.20.0 to 5.22.0 (#464)
    • 5e6c1bb build(deps-dev): bump typescript from 4.6.3 to 4.6.4 (#461)
    • 44eba43 build(deps-dev): bump @​typescript-eslint/eslint-plugin (#460)
    • 358a5e3 build(deps-dev): bump @​typescript-eslint/eslint-plugin (#457)
    • b9c65a5 build(deps-dev): bump @​typescript-eslint/parser from 5.19.0 to 5.20.0 (#455)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Related tags
Security container-scan-to-sarif
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
 A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.

Introduction Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third par

Dec 28, 2022
Build & Scan - Container Image

BSImage (build&scan image) Requirements Trivy Docker BSImage (shell script version) Usage of build (shell script version) ./bsimage.sh start <image:ta

Apr 12, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
 EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

Dec 10, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Dec 27, 2022
The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!
 The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!

Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focussed on

Dec 30, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.
 Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

Dec 30, 2022
A fully self-contained Nmap like parallel port scanning module in pure Golang that supports SYN-ACK (Silent Scans)

gomap What is gomap? Gomap is a fully self-contained nmap like module for Golang. Unlike other projects which provide nmap C bindings or rely on other

Dec 10, 2022
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
 🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

Jan 5, 2023
A Large killer focused on intranet scanning
 A Large killer focused on intranet scanning

FscanX 其实FscanX的灵感来源于fscan和LodanGo这两个开源项目,首先不得不说fscan和LadonGo两个都是非常优秀的内网扫描器。并且其独自的特色也让其在内网扫描器领域独占鳌头。其中LadonGo的插件式让其在扫描时更加专注,而fscan的傻瓜式则让其对内网的信息搜集更加高效。

Dec 31, 2021
ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing
 ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing

[ARP Spoofing] [Usage] Commands: clear clear the screen cut 通过ARP欺骗切断局域网内某台主机的网络 exit exit the program help display help hosts 主机管理功能 loot 查看嗅探到的敏感信息

Dec 30, 2022
Wrapper to communicate with the wifi scanning protocol on Brother MFC-J430W
 Wrapper to communicate with the wifi scanning protocol on Brother MFC-J430W

Brother MFC-J430W protocol wrapper (wifi scanner) Reasons Brother MFC-J430W has already scanner driver and you can download here but that are prebuilt

Dec 20, 2022
A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

PewSWITCH A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157. Related blog: https://0xinfection.github.io/p

Nov 2, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
 Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Jan 2, 2022
Go-basic-port-scanner: Scanning of TCP ports only
 Go-basic-port-scanner: Scanning of TCP ports only

go-basic-port-scanner Scanning of TCP ports only. Usage git clone https://git

Jan 22, 2022
Govuln - How to patch a vulnerability indirectly lifted into a Go Lang application in a manner which satsfies Twistlock scanning

govuln Desire to learn how to patch a vulnerability indirectly lifted into a Go

Feb 2, 2022
Portmantool - Port scanning and monitoring tool

portmantool Port scanning and monitoring tool Components runner while true do r

Feb 14, 2022
User enumeration and password bruteforce on Azure, ADFS, OWA, O365 and gather emails on Linkedin
 User enumeration and password bruteforce on Azure, ADFS, OWA, O365 and gather emails on Linkedin

goEnumBruteSpray Description Summary The recommended module is o365 for user enumeration and passwords bruteforce / spray . Additional information can

Dec 25, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).
 A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Dec 26, 2022
A fast tool to scan CRLF vulnerability written in Go
 A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

Jan 1, 2023