code-security-report

A tool for analyzing the reports generated by various code security scanning tools (i.e. Snyk, Trivy). It is inspired by and designed for Github Action Workflow integration.

Supported Report Type

1. Snyk
2. Trivy

How to develop?

Build image locally

make image

Bump version

./dev.sh bump_version

Examples in Github Action Workflow

1. Get summary

- name: Analyse the js result
if: >-
    github.ref == 'refs/heads/main' ||
    github.ref== 'refs/heads/master'
id: set-matrix
run: | 
    result=$(docker run --rm -v /home/runner/work/repo:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
    echo "js_result=${result}" >> $GITHUB_OUTPUT

2. Diff two reports

- name: Analyse the go diff result
if: >-
    github.ref != 'refs/heads/main' && 
    github.ref != 'refs/heads/master'
id: set-diff-matrix
run: | 
    result=$(docker run --rm -v /home/runner/work/repo:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" -output-type=matrix)
    echo "js_diff_result=${result}" >> $GITHUB_OUTPUT

3. Export summary result

- name: Export scan result to html file 
run: | 
    $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result")

- name: Upload go result html file
uses: actions/upload-artifact@v3
with:
    name: html-go-result-${{github.run_id}}
    path: go-result.html

4. Export diff result

- name: Export scan result to html file 
run: | 
    $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")

- name: Upload go result html file
uses: actions/upload-artifact@v3
with:
    name: html-go-result-compare-to-develop-${{github.run_id}}
    path: go-result.html

Examples in CLI

1. Get summary of the report

./code-security-report summary --report-type=snyk --path="./snyk-feature.json" --output-type=matrix

Output:

[
	{
		"ScannedObjects": 365,
		"SeverityStat": {
			"critical": 0,
			"high": 3,
			"medium": 0,
			"low": 0,
			"unknown": 0
		},
		"total": 3,
		"FixableSeverityStat": {
			"critical": 0,
			"high": 2,
			"medium": 0,
			"low": 0,
			"unknown": 0
		},
		"Languages": [
			"js"
		],
		"summary": "Tested 365 dependencies for known issues.  Severity Statistic: High:3 ",
		"status": "success"
	}
]

2. Compare two reports

./code-security-report diff --report-type=snyk --path="./snyk-feature.json" --compare-to="./snyk-develop.json" --output-type=matrix

Output:

[
	{
		"Base": {
			"ScannedObjects": 426,
			"SeverityStat": {
				"critical": 0,
				"high": 2,
				"medium": 6,
				"low": 0,
				"unknown": 0
			},
			"total": 8,
			"FixableSeverityStat": {
				"critical": 0,
				"high": 1,
				"medium": 2,
				"low": 0,
				"unknown": 0
			},
			"Languages": [
				"js"
			],
			"summary": "Tested 426 dependencies for known issues.  Severity Statistic: High:2 Medium:6 ",
			"status": "success"
		},
		"Fixed": {
			"ScannedObjects": 0,
			"SeverityStat": {
				"critical": 0,
				"high": 0,
				"medium": 0,
				"low": 0,
				"unknown": 0
			},
			"total": 0,
			"FixableSeverityStat": {
				"critical": 0,
				"high": 0,
				"medium": 0,
				"low": 0,
				"unknown": 0
			},
			"Languages": null,
			"summary": "Tested 450 dependencies for known issues.  Severity Statistic: Nothing found",
			"status": ""
		},
		"NewFound": {
			"ScannedObjects": 0,
			"SeverityStat": {
				"critical": 0,
				"high": 0,
				"medium": 3,
				"low": 0,
				"unknown": 0
			},
			"total": 3,
			"FixableSeverityStat": {
				"critical": 0,
				"high": 0,
				"medium": 0,
				"low": 0,
				"unknown": 0
			},
			"Languages": null,
			"summary": "Tested 450 dependencies for known issues.  Severity Statistic: Medium:3 ",
			"status": ""
		},
		"Summary": "Base summary:Tested 426 dependencies for known issues.  Severity Statistic: High:2 Medium:6  | Fixed summary:Tested 450 dependencies for known issues.  Severity Statistic: Nothing found | New found summary:Tested 450 dependencies for known issues.  Severity Statistic: Medium:3 .",
		"Status": "failure"
	}
]

3. Export the summary report

./code-security-report summary --report-type=snyk --path="./fixtures/snyk-feature.json" --export --output-type=table --export-filename="snyk-summary"

4. Export the diff report

./code-security-report diff --report-type=snyk --path="./fixtures/snyk-feature.json" --compare-to="./fixtures/snyk-develop.json" --output-type=table --export

5. Debug with inspect command

docker run --rm -v $PWD/fixtures:/data portainerci/code-security-report:latest inspect --target-dir=/data

6. Check version

./code-security-report version

Examples with docker

1. Run with docker container

docker run --rm -v $PWD/fixtures:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json"

2. Export with docker container

docker run --rm -v $PWD/fixtures:/data portainerci/code-security-report:latest diff --report-type=snyk --path="./data/snyk-feature.json" --compare-to="./data/snyk-develop.json" --output-type=table --export --export-filename="./data/snyk-diff"

Command detail

./code-security-report help