We are considering using Anchore for our vulnerability scanning (it appears to be able to scan packages in the container so it might be an alternative to OWASP).
Of course we’d end up missing the cool integration between OWASP reports and SonarQube.
Are there any integrations that exist with Anachore? If not and someone was really motivated, how would they go about creating one?
Presumably Anchore generates reports that list issues and corresponding code locations? If so, you can either translate them to the Generic Issues format or write a plugin allow you to
manage Anchore rules in your Quality Profile
import reports in their native format
As a model for that, there’s probably an analogous OSS plugin in the Markeplace you could look at.
For examples, many of the language analyzers are OSS, and all the community plugins in the marketplace are OSS. Just pick the ones that do something like what you want to achieve and go from there.
Feel free to come back here when you have specific development questions & open new threads in the Plugin Development category.
Hey thanks, that helps. I think I’d be interested in a good (simple) example of a plugin that is used to support a new file format for importing issues. Maybe you can point me to one of those?