Display Trivy reports on sonarcloud

Sasank_Madati · November 20, 2023, 4:05am

Hello guys,

For my project I have Trivy set up to take care of scanning the built images for vulnerabilities. Trivy is set up to generate reports in Json and SARIF formats. I need to display these reports along with other code issues and hotspots that are shown in sonar cloud.

Can this type of task be done?

I have read about test execution parameters and how they can display things in sonarcloud. But all the content there is regard to some particular language like c or java or python. In my case, there is no language involved, just docker images.

Can anyone help me out by pointing me in the right direction?

Appreciate any help
Thanks in advance

Colin · November 22, 2023, 8:56am

Hey there.

The ability to import SARIF reports (like is already possible for SonarQube) is on our roadmap (I encourage you to go vote for the card!)

For now, you might be able to convert a JSON/SARIF report to Generic issue data to be imported into SonarCloud.

system · November 29, 2023, 8:56am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Colin · September 4, 2024, 5:13pm

Hey @Sasank_Madati

Just an update, we now support importing SARIF reports in SonarCloud.

Topic		Replies	Views
Import of Sarif report not working - this.bases is null SonarQube Server / Community Build scanner , reports , sarif	13	648	May 24, 2024
SonarCloud can import SARIF files to load external issues Announcements sarif	0	344	September 3, 2024
SonarCloud - SARIF ingestion and visualization Product Manager for a Day	8	423	September 4, 2024
Support SARIF reports Product Manager for a Day sonarqube , external_issues	25	7359	September 4, 2024
Import Sarif report - source context not matching SonarQube Server / Community Build sarif , sonarqube-cloud	9	101	December 12, 2024

Display Trivy reports on sonarcloud

Related topics