This crate provides a command line tool to convert hadolint diagnostic output
into SARIF.
The latest documentation can be found here.
hadolint is a popular linter / static analysis tool for Dockerfiles. More information can be found on the official repository: https://github.com/hadolint/hadolint
SARIF or the Static Analysis Results Interchange Format is an industry standard format for the output of static analysis tools. More information can be found on the official website: https://sarifweb.azurewebsites.net/.
hadolint-sarif may be installed via cargo
shell
cargo install hadolint-sarif
via cargo-binstall
shell
cargo binstall hadolint-sarif
or downloaded directly from Github Releases
```shell
curl -sSL https://github.com/psastras/sarif-rs/releases/download/hadolint-sarif-latest/hadolint-sarif-x86_64-unknown-linux-gnu -o hadolint-sarif ```
For most cases, simply run hadolint with json output and pipe the results
into hadolint-sarif.
shell
hadolint -f json Dockerfile | hadolint-sarif
If you are using Github Actions, SARIF is useful for integrating with Github Advanced Security (GHAS), which can show code alerts in the "Security" tab of your repository.
After uploading hadolint-sarif output to Github, hadolint diagnostics are
available in GHAS.
```yaml on: workflow_run: workflows: ["main"] branches: [main] types: [completed]
name: sarif
jobs: upload-sarif: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/main' }} steps: - uses: actions/checkout@v2 - uses: actions-rs/toolchain@v1 with: profile: minimal toolchain: stable override: true - uses: Swatinem/rust-cache@v1 - run: cargo install hadolint-sarif sarif-fmt - run: hadolint -f json Dockerfile | hadolint-sarif | tee results.sarif | sarif-fmt - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: sarif_file: results.sarif ```
License: MIT