SARIF Export: Plugging Pentestas Findings Into GitHub Code Scanning

Introduction to SARIF and GitHub CodeQL

The Static Analysis Results Interchange Format (SARIF) is a standardized format that facilitates the exchange of static analysis results between different tools. By adopting SARIF, we ensure that our findings from various security tools are seamlessly integrated into platforms like GitHub. SARIF not only promotes consistency but also enhances collaboration among teams by providing a common language for interpreting static analysis results. For security practitioners, this means more efficient workflows and a clearer understanding of vulnerabilities across diverse codebases.

GitHub CodeQL is a powerful engine for code scanning, allowing developers to query code as though it were data. It provides a robust framework to identify potential vulnerabilities before they are exploited. By leveraging CodeQL, developers can perform deep analysis over their code, identifying patterns that could lead to security breaches. This tool is integral to modern development pipelines, emphasizing proactive rather than reactive security practices.

Integrating SARIF with GitHub CodeQL can significantly improve the security workflow by providing a comprehensive view of the code's health. When SARIF reports are fed into GitHub, they enhance the platform's existing security features, facilitating a smoother transition from detection to remediation. This integration allows for automated responses to potential threats, ensuring that vulnerabilities are addressed promptly and efficiently.

At Pentestas, we specialize in thorough security testing, identifying vulnerabilities that could compromise your systems. Our expertise in SARIF and GitHub CodeQL integration ensures that our clients' security postures are robust and responsive. By embedding our findings directly into the development environment, we help developers act swiftly on security alerts, minimizing potential risks.

Understanding SARIF 2.1.0

The Static Analysis Results Interchange Format (SARIF) 2.1.0 introduces several key features aimed at enhancing the clarity and utility of static analysis results. One of the significant improvements includes better support for embedding rich information about code locations and metadata within the results file. This version also refines its support for internationalization, allowing error messages and descriptions to be presented in multiple languages. These enhancements are critical for tools that must operate in diverse environments across the globe.

A SARIF file is structured to efficiently store and convey information about code analysis results. It typically includes fields such as runs, which contains a list of analysis results, and results, which details each finding. Additionally, tool information is embedded to identify the analysis engine, ensuring that users can easily trace the origin of each finding. This structure aids in maintaining consistency and transparency in reporting.

{
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "ExampleAnalyzer",
          "semanticVersion": "1.0.5"
        }
      },
      "results": [
        {
          "ruleId": "CA2000",
          "message": {
            "text": "Ensure Dispose is called on all objects." 
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/Program.cs"
                },
                "region": {
                  "startLine": 42,
                  "startColumn": 13
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

SARIF plays a pivotal role in enabling interoperability between various analysis tools. By providing a standardized format, it ensures that results can be easily shared and understood across different platforms and toolchains. This capability is crucial for development teams that rely on a diverse set of tools for code quality and security checks. With SARIF, developers can integrate findings from multiple sources into a unified report, drastically improving workflow efficiency.

For developers, the fields within a SARIF file offer multiple benefits. Fields such as ruleId and message provide clear identification of issues, while locations pinpoint exactly where these issues occur in the codebase. This precise reporting is essential for quick remediation and helps developers maintain high code quality. As a result, SARIF becomes an indispensable tool in a developer's toolkit for standardized reporting and efficient code management.

The Need for Seamless Workflows

In the landscape of modern software development, managing multiple security tools can be a significant challenge. Each tool often comes with its own interface, reporting format, and analysis methods, leading to complex workflows. For teams at Pentestas, this complexity can result in inefficiencies and increased risk of oversight. By centralizing findings in a common format like SARIF (Static Analysis Results Interchange Format), we can streamline these processes, ensuring that security insights are easily accessible across different platforms, such as GitHub Code Scanning.

Streamlined workflows are not just about efficiency; they are critical in the realm of DevSecOps. As development cycles become shorter, the need for rapid feedback loops grows. A seamless integration of security findings into the development process means that teams can address vulnerabilities promptly. This integration minimizes the potential for human error by automating the transfer of data between systems, reducing manual intervention.

Automated vulnerability tracking is a game-changer in maintaining robust security postures. By leveraging tools like GitHub's native code scanning capabilities, teams can automatically track and manage vulnerabilities through the development lifecycle. This automated approach ensures that security issues are flagged and addressed before they can be exploited. Below is a simple example of how a SARIF file can be integrated into GitHub Actions to trigger code scanning:

name: "CodeQL"

on:
  push:
    branches: [main]

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1
      with:
        sarif: results.sarif

Without integration, workflow interruptions are inevitable. As seen in various case scenarios, teams often struggle with the manual consolidation of findings from disparate tools, leading to delays in remediation. This disruption not only impacts productivity but also leaves vulnerabilities unaddressed for longer periods. By adopting a cohesive strategy that includes SARIF export, organizations can mitigate these interruptions, fostering a more resilient security infrastructure.

Implementing SARIF Export in Pentestas

To enable SARIF export functionality in Pentestas, we first need to navigate to the platform's /settings/integrations directory. Here, a configuration toggle allows us to activate SARIF exports. Enabling this feature ensures that all pentesting findings can be transformed and exported in the SARIF format, making them compatible with GitHub's Code Scanning capabilities. This setup is essential for teams looking to integrate security findings directly into their development workflows, leveraging GitHub's native security features.

Handling data transformation involves mapping our internal report structures to the SARIF fields. This process requires a detailed understanding of both our data schema and the SARIF 2.1.0 specifications. Each finding in Pentestas, such as vulnerabilities and remediation steps, needs to be accurately mapped to SARIF properties like ruleId, message, and locations. Ensuring the data transformation is seamless and accurate is crucial for maintaining the integrity of the exported reports.

{
  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Pentestas",
          "rules": [
            {
              "id": "CVE-2023-12345",
              "shortDescription": {
                "text": "SQL Injection"
              },
              "fullDescription": {
                "text": "A SQL injection vulnerability was found in the application."
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "CVE-2023-12345",
          "message": {
            "text": "Validate user inputs to prevent SQL injection."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/main/java/com/example/app.java"
                },
                "region": {
                  "startLine": 42,
                  "endLine": 42
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Ensuring compatibility with SARIF 2.1.0 specifications is a non-trivial task. It necessitates rigorous validation and testing processes to confirm that our exports conform to the standard. We employ automated validation tools to check the structural correctness of the SARIF files. These tools help us quickly identify any discrepancies or errors, allowing us to make necessary adjustments before the files are deployed. This step is vital to ensure that the generated SARIF files are accepted by GitHub's Code Scanning API without any issues.

Integration with GitHub CodeQL

Integrating Pentestas findings into GitHub CodeQL begins with configuring your GitHub repositories to accept SARIF inputs. This process involves enabling GitHub Advanced Security features and ensuring the repository is properly set up to process SARIF files. In the repository settings, we need to enable "Security" and "Code scanning" options. Once these are configured, GitHub is prepared to ingest SARIF files, creating a seamless bridge between our findings and CodeQL alerts.

To automate the upload of SARIF files, we utilize GitHub Actions. By setting up a workflow YAML file, we can automate this process to trigger on specific events like pull requests or pushes to the main branch. Here's a simple workflow snippet:

name: Upload SARIF

on:
  push:
    branches:
      - main

jobs:
  upload-sarif:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
      uses: actions/checkout@v2
    - name: Upload SARIF to GitHub
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: results/pentestas-findings.sarif

Mapping Pentestas findings to CodeQL alerts is crucial for maintaining consistency and clarity in the alerting process. Our SARIF files include metadata that aligns with CodeQL's alert structure, ensuring that each finding is appropriately categorized. This mapping aids in quickly identifying and addressing vulnerabilities. An essential part of this process is ensuring the deduplication of findings. Through careful management of SARIF content, we prevent redundant alerts, which could otherwise lead to alert fatigue among developers.

As-if-CodeQL Workflow

Simulating CodeQL findings using Pentestas data offers a seamless integration method for leveraging GitHub's code scanning capabilities. By translating our findings into the SARIF format, we enable GitHub to treat them as though they originated from a CodeQL scan. This involves converting vulnerability information into structured data that mimics the output of CodeQL, ensuring each issue is accurately reflected in the GitHub interface. For instance, the SARIF file might include a result like:

{
  "$schema": "https://json.schemastore.org/sarif-2.1.0",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Pentestas",
          "rules": [
            {
              "id": "CVE-2023-12345",
              "name": "SQL Injection Vulnerability",
              "fullDescription": {
                "text": "A SQL injection was found in the user login module."
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "CVE-2023-12345",
          "message": {
            "text": "A SQL injection was detected in the login module."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/auth/login.js"
                },
                "region": {
                  "startLine": 42,
                  "endLine": 42
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Synchronizing vulnerability data across platforms is crucial for maintaining consistency in alert management. When Pentestas exports findings to GitHub via SARIF, the alerts are automatically populated in the repository's Security tab. This synchronization ensures that any developer accessing the repository can view and act on the latest vulnerability data without manual intervention. Moreover, this integration supports automated workflows, so when a vulnerability is marked as resolved in Pentestas, the change is reflected in GitHub too, maintaining a coherent and up-to-date security posture.

The technical challenges in operating across dual platforms like Pentestas and GitHub include managing the fidelity of data translation and ensuring that alerts are actionable and not overwhelming. One solution we've employed is a mapping system that aligns Pentestas vulnerability categories with GitHub's alert system, providing clarity and consistency. This mapping mitigates the risk of misinterpretation and helps developers prioritize issues effectively, focusing on critical vulnerabilities. By fine-tuning this mapping, we reduce noise and enhance the relevance of alerts, leading to more efficient security workflows within development teams.

Monitoring and Maintenance

Continuous monitoring of our SARIF integrations is crucial to ensure smooth and error-free operation. We utilize comprehensive logs to detect anomalies and errors, enabling us to promptly address issues before they impact the broader workflow. For instance, log entries capturing malformed SARIF files or failed uploads to GitHub are scrutinized using regex patterns. This proactive approach helps maintain the integrity of our code scanning reports.

import re

log_entries = [
    "ERROR: Failed to upload SARIF report at 2023-10-05",
    "WARNING: Malformed SARIF file detected"
]

error_patterns = [r"ERROR: .*", r"WARNING: Malformed SARIF"]

for entry in log_entries:
    if any(re.match(pattern, entry) for pattern in error_patterns):
        print(f"Alert: {entry}")

Scheduled maintenance and updates play a pivotal role in aligning with evolving standards and GitHub API changes. We schedule regular audits of our SARIF reports and exporting scripts, ensuring they adhere to the latest specifications. This includes updating any deprecated fields, adjusting to new CVEs, or modifying API endpoints as required. Such diligence minimizes disruptions and maintains the reliability of our automated processes.

To support this ecosystem, we have developed tools and scripts for automated health checks. These scripts perform routine diagnostics, such as verifying the accessibility of report endpoints or checking for schema validation errors. The results are logged, and any deviations trigger automated alerts to our engineering team for further investigation. This automation streamlines our operations and bolsters our capacity to handle incidents effectively.

Limitations and Future Directions

As we continue to refine our SARIF export capabilities, it's crucial to address the current limitations when integrating with GitHub CodeQL. One significant limitation is the complexity of accurately mapping SARIF results to CodeQL's database schema. This often requires manual adjustments, as automated processes can misinterpret data, leading to false positives or missed vulnerabilities. Additionally, GitHub's handling of SARIF files is sometimes limited by file size restrictions, which can pose challenges for large-scale projects.

To enhance our integration, we are exploring several potential improvements. These include optimizing SARIF file generation to minimize size while maximizing information, and developing more robust mapping algorithms to ensure data accuracy. We're also considering the introduction of a dashboard feature that provides real-time feedback on SARIF processing within GitHub repositories. Our goal is to make the process seamless and intuitive for developers, reducing the need for manual intervention.

"runs": [
  {
    "tool": {
      "driver": {
        "name": "CodeQL",
        "informationUri": "https://github.com/github/codeql"
      }
    },
    "results": [
      {
        "ruleId": "js/sql-injection",
        "message": {
          "text": "Potential SQL injection vulnerability."
        },
        "locations": [
          {
            "physicalLocation": {
              "artifactLocation": {
                "uri": "src/database.js"
              },
              "region": {
                "startLine": 42,
                "startColumn": 8
              }
            }
          }
        ]
      }
    ]
  }
]

The evolving security landscape continually reshapes our integration needs. As new vulnerabilities emerge, our tools must adapt to detect them effectively. This requires ongoing collaboration with security researchers and staying updated with the latest CVEs. We also rely heavily on user feedback to guide our roadmap. Users have highlighted the need for better visualization of SARIF data and more detailed reports, which we are prioritizing in our upcoming updates.

• Reproducible Scans for CI: Pentestas YAML Config in Anger
• On-Demand MobSF: How We Spin Up a Disposable Mobile Pentest Container Per Scan
• Bulk Scans + Rescan All: 100 Targets, One Click
• Source-Aware SAST: Reading the Code So the Scanner Knows Where to Look