Loading README.md +3 −0 Original line number Diff line number Diff line Loading @@ -72,6 +72,8 @@ Depending on the security tools you launch, and their configuration, you may hav | `DEFECTDOJO_MOBSF_REPORTS` | path to MobSF JSON reports | `mobsf*.json` | | `DEFECTDOJO_NODEJSSCAN_REPORTS` | path to NodeJSScan SARIF reports | `nodejsscan-report-sarif.json` | | `DEFECTDOJO_NPMAUDIT_REPORTS` | path to NPM Audit JSON reports | `npm-audit*.json` | | `DEFECTDOJO_SEMGREP_REPORTS`| Path to Semgrep reports | `reports/semgrep.json`| | `SEMGREP_TEMPLATE`| Path to Semgrep template | _none_ | | `DEFECTDOJO_TESTSSL_REPORTS` | path to TestSSL CSV reports | `reports/testssl.native.csv` | | `DEFECTDOJO_ZAP_REPORTS` | path to Zap xml reports | `reports/zap.native.xml` | | `ZAP_TPL_PROJECT` | path to Zap template (if any) | _none_ | Loading Loading @@ -108,6 +110,7 @@ For now, the current template allows to import reports from the following tools: - MobSF - NodeJSScan - NPM Audit - Semgrep - SonarQube - TestSSL - Trivy Loading kicker.json +11 −0 Original line number Diff line number Diff line Loading @@ -107,6 +107,17 @@ "description": "Path to Zap template", "advanced": true }, { "name": "DEFECTDOJO_SEMGREP_REPORTS", "description": "Path to Semgrep reports", "default": "reports/semgrep.json", "advanced": true }, { "name": "SEMGREP_TEMPLATE", "description": "Path to Semgrep template", "advanced": true }, { "name": "DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD", "description": "Determines if delta analysis is activated for SonarQube export", Loading templates/gitlab-ci-defectdojo.yml +24 −0 Original line number Diff line number Diff line Loading @@ -34,6 +34,7 @@ variables: DEFECTDOJO_TRIVY_REPORTS: "trivy/*.json trivy-*.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json" DEFECTDOJO_HADOLINT_REPORTS: "hadolint-json-*.json reports/docker-hadolint-*.native.json" DEFECTDOJO_MOBSF_REPORTS: "mobsf*.json" DEFECTDOJO_SEMGREP_REPORTS: "reports/semgrep.json" DEFECTDOJO_TESTSSL_REPORTS: "reports/testssl.native.csv" DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD: "false" DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT: "true" Loading Loading @@ -335,6 +336,18 @@ variables: fi done # Semgrep # template: semgrep semgrep_nb_reports=0 for file in ${DEFECTDOJO_SEMGREP_REPORTS} do if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then log_info "semgrep report found: $file" semgrep_nb_reports=$((semgrep_nb_reports + 1)) nb_reports=$((nb_reports + 1)) fi done log_info "$nb_reports reports" if [ "$nb_reports" -gt 0 ]; then Loading Loading @@ -482,6 +495,17 @@ variables: done fi if [ "$semgrep_nb_reports" -gt 0 ]; then semgrep_tpl_version=$(get_tpl_version_in_use "$SEMGREP_TEMPLATE") log_info "Semgrep template version: $semgrep_tpl_version" for file in ${DEFECTDOJO_SEMGREP_REPORTS} do if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then import_scan "$file" "Semgrep JSON Report" "$engagement_id" "$SEMGREP_TEMPLATE ${semgrep_tpl_version}" fi done fi # Close the engagement curl -L -X POST "${DEFECTDOJO_SERVER_URL}/api/v2/engagements/$engagement_id/close/" --header "Authorization: Token $DEFECTDOJO_API_KEY" -d '' Loading Loading
README.md +3 −0 Original line number Diff line number Diff line Loading @@ -72,6 +72,8 @@ Depending on the security tools you launch, and their configuration, you may hav | `DEFECTDOJO_MOBSF_REPORTS` | path to MobSF JSON reports | `mobsf*.json` | | `DEFECTDOJO_NODEJSSCAN_REPORTS` | path to NodeJSScan SARIF reports | `nodejsscan-report-sarif.json` | | `DEFECTDOJO_NPMAUDIT_REPORTS` | path to NPM Audit JSON reports | `npm-audit*.json` | | `DEFECTDOJO_SEMGREP_REPORTS`| Path to Semgrep reports | `reports/semgrep.json`| | `SEMGREP_TEMPLATE`| Path to Semgrep template | _none_ | | `DEFECTDOJO_TESTSSL_REPORTS` | path to TestSSL CSV reports | `reports/testssl.native.csv` | | `DEFECTDOJO_ZAP_REPORTS` | path to Zap xml reports | `reports/zap.native.xml` | | `ZAP_TPL_PROJECT` | path to Zap template (if any) | _none_ | Loading Loading @@ -108,6 +110,7 @@ For now, the current template allows to import reports from the following tools: - MobSF - NodeJSScan - NPM Audit - Semgrep - SonarQube - TestSSL - Trivy Loading
kicker.json +11 −0 Original line number Diff line number Diff line Loading @@ -107,6 +107,17 @@ "description": "Path to Zap template", "advanced": true }, { "name": "DEFECTDOJO_SEMGREP_REPORTS", "description": "Path to Semgrep reports", "default": "reports/semgrep.json", "advanced": true }, { "name": "SEMGREP_TEMPLATE", "description": "Path to Semgrep template", "advanced": true }, { "name": "DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD", "description": "Determines if delta analysis is activated for SonarQube export", Loading
templates/gitlab-ci-defectdojo.yml +24 −0 Original line number Diff line number Diff line Loading @@ -34,6 +34,7 @@ variables: DEFECTDOJO_TRIVY_REPORTS: "trivy/*.json trivy-*.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json" DEFECTDOJO_HADOLINT_REPORTS: "hadolint-json-*.json reports/docker-hadolint-*.native.json" DEFECTDOJO_MOBSF_REPORTS: "mobsf*.json" DEFECTDOJO_SEMGREP_REPORTS: "reports/semgrep.json" DEFECTDOJO_TESTSSL_REPORTS: "reports/testssl.native.csv" DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD: "false" DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT: "true" Loading Loading @@ -335,6 +336,18 @@ variables: fi done # Semgrep # template: semgrep semgrep_nb_reports=0 for file in ${DEFECTDOJO_SEMGREP_REPORTS} do if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then log_info "semgrep report found: $file" semgrep_nb_reports=$((semgrep_nb_reports + 1)) nb_reports=$((nb_reports + 1)) fi done log_info "$nb_reports reports" if [ "$nb_reports" -gt 0 ]; then Loading Loading @@ -482,6 +495,17 @@ variables: done fi if [ "$semgrep_nb_reports" -gt 0 ]; then semgrep_tpl_version=$(get_tpl_version_in_use "$SEMGREP_TEMPLATE") log_info "Semgrep template version: $semgrep_tpl_version" for file in ${DEFECTDOJO_SEMGREP_REPORTS} do if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then import_scan "$file" "Semgrep JSON Report" "$engagement_id" "$SEMGREP_TEMPLATE ${semgrep_tpl_version}" fi done fi # Close the engagement curl -L -X POST "${DEFECTDOJO_SERVER_URL}/api/v2/engagements/$engagement_id/close/" --header "Authorization: Token $DEFECTDOJO_API_KEY" -d '' Loading
