SafeSCARF ci-connector (additional parameters)

ci-connector support two modes:

  • list-scanners

  • upload-scan

Both methods require defining SafeSCARF host and token as it was already written.

The first one can be used to show names of scanning tools that can be used in SafeSCARF.

upload-scan supports multiple variables:

$ ci-connector upload-scan --help
Usage: ci-connector upload-scan [OPTIONS]

  upload/re-upload scan result to CI-Scanner SafeSCARF

  --host TEXT                     SafeSCARF host  [required]
  --token TEXT                    SafeSCARF API token  [required]
  -s, --scanner TEXT              SafeSCARF scanner (test type)  [required]
  -e, --engagement-id INTEGER     SafeSCARF engagement ID
  -t, --test-id INTEGER           SafeSCARF test ID
  --tags TEXT                     comma-separated list of tags (ignored in re-

  --inactive                      flag test as inactive
  --unverify                      flag test as unverified
  --severity [Info|Low|Medium|High|Critical]
  -f, --report-file FILENAME      Report file (can also read from stdin)

  --help                          Show this message and exit.

All example snippets use -e which check if specified engagement exists already contains some test. If not, a new test is created. If a test exists (and it is only one), it is automatically found and results are replaced.

In case, engagement contains multiple tests and the developer would like to upload results into the specific one, it is possible to use option -t (instead -e).

--tags allow adding specific tags to scan. They will be shown next to the test name in SVMP and they can be used in search filters.

All findings are automatically marked as Active and Verified. If you would like to change this default behaviour, use --inactive and/or --unverify.

It is also possible to limit processing only findings with some minimal severity by adding --severity .... All findings with lower severity will be skipped.