陌讯skills聚合平台

sarif-issue-reporter

📁 igbuend/grimbard 📅 12 days ago
0
总安装量
2
周安装量
安装命令
npx skills add https://github.com/igbuend/grimbard --skill sarif-issue-reporter

Agent 安装分布

github-copilot 2
claude-code 2
mcpjam 1
command-code 1
pi 1
openclaw 1

Skill 文档

SARIF Issue Reporter

Analyze SARIF files and generate comprehensive security reports.

Target: $ARGUMENTS (path to SARIF file)

When to Use This Skill

  • Reviewing static analysis results from security scanners
  • Generating vulnerability reports with CVSS scoring
  • Validating SAST findings (true vs false positives)
  • Mapping vulnerabilities to compliance frameworks
  • Creating remediation guidance with code examples

Core Capabilities

Capability Description
SARIF Parsing Read SARIF 2.1.0 format from any scanner
Verification Confirm findings, identify false positives
CVSS Scoring Calculate scores with vector strings
Standards Mapping OWASP, CWE, CAPEC, compliance frameworks
Remediation Code examples and implementation steps

Workflow

Phase 1: Parse SARIF

  1. Load SARIF file at $ARGUMENTS
  2. Extract tool metadata from runs[].tool.driver
  3. Get all results from runs[].results[]
  4. Categorize by severity level

Phase 2: Verify Each Issue

  1. Extract: Location, snippet, codeFlows, related locations
  2. Verify: Confirm issue exists, check for false positives, assess exploitability
  3. Enhance: Request additional code context if needed

Phase 3: Security Assessment

CVSS 3.1 Scoring – Calculate and justify each metric:

  • Attack Vector (AV): N/A/L/P
  • Attack Complexity (AC): L/H
  • Privileges Required (PR): N/L/H
  • User Interaction (UI): N/R
  • Scope (S): U/C
  • Impact (C/I/A): N/L/H each

Vector format: CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_

Impact Analysis: Technical impact, business impact, exploitability, affected assets.

Phase 4: Standards Mapping

Map each verified issue to:

Standard Action
OWASP Top 10 Identify category (A01-A10)
CWE Specific ID + parent/child
CAPEC Attack patterns
Compliance PCI-DSS, GDPR, SOC 2, HIPAA, ISO 27001, NIST

Reference: OWASP Top 10 | CWE | CAPEC

Phase 5: Report Generation

For each verified issue, generate this report structure:

## [ISSUE-XXX] {Title}

**Severity**: {Critical|High|Medium|Low} | **CVSS**: {Score} ({Vector}) | **Status**: Verified

### Summary
{2-3 sentence overview}

### Code Evidence
**Location**: `{file}:{line}`
```{language}
{code snippet with context}

Exploitation

Attack Vector: {Description} PoC: {Example exploit code or request} Prerequisites: {What attacker needs}

Impact

  • C/I/A: {Confidentiality/Integrity/Availability impacts}
  • Business: {Consequences}

Standards Mapping

  • OWASP: {Category}
  • CWE: CWE-{ID}
  • CAPEC: CAPEC-{ID}
  • Compliance: {PCI-DSS/GDPR/SOC2 requirements}

Security Patterns Violated

  • {Pattern}: Expected {X}, found {Y}

Remediation

Priority: {Level}

{Fix code}

Steps: {Implementation guidance}

Validation

{Test commands or verification steps}


## Implementation Steps

1. **Load SARIF** - Parse JSON at $ARGUMENTS path
2. **Extract Issues** - Get `runs[].results[]` array
3. **For Each Issue**:
   - Get location from `physicalLocation`
   - Read code context if snippet missing
   - Verify finding exists in source
   - Calculate CVSS with justification
   - Map to standards (OWASP/CWE/CAPEC)
   - Generate remediation code
4. **Output Report** - Markdown format (primary)

### Quality Checklist

Before finalizing each issue:
- [ ] CVSS score calculated with justification
- [ ] Code evidence with context
- [ ] Realistic exploitation scenario
- [ ] Security pattern identified
- [ ] OWASP/CWE/CAPEC mapped
- [ ] Working remediation code

**SARIF Reference**: [SARIF 2.1.0 Spec](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)

## Example Usage

User: Analyze results.sarif and report critical/high issues Claude:

  1. Parse SARIF → 2. Filter by severity → 3. Verify each finding
  2. Calculate CVSS → 5. Map to standards → 6. Generate report

## Best Practices

| Practice | Why |
|----------|-----|
| Always verify | SAST tools produce false positives |
| Realistic exploitation | Theoretical attacks aren't useful |
| Working remediation code | Not pseudo-code |
| Complete standards mapping | OWASP/CWE/CAPEC/Compliance |
| Sufficient code context | Understand the full picture |

## Executive Summary Template

```markdown
# Security Analysis Report
**Tool**: {name} | **Date**: {date} | **Scope**: {files scanned}

## Overview
| Metric | Count |
|--------|-------|
| Total Issues | {n} |
| Verified | {n} |
| False Positives | {n} |

## Severity Distribution
Critical (9.0-10.0): {n} | High (7.0-8.9): {n} | Medium (4.0-6.9): {n} | Low (0.1-3.9): {n}

## Top Risks
1. {Issue} - CVSS {score}
2. {Issue} - CVSS {score}
3. {Issue} - CVSS {score}

Anti-Patterns

  • Reporting unverified issues
  • Generic remediation advice
  • Missing exploitation scenarios
  • Incomplete CVSS justification
  • Ignoring code context

Success Criteria

  • All critical/high issues verified
  • CVSS scores justified
  • Working exploitation examples
  • Production-ready remediation code
  • Complete standards mapping

References

Helper script available: scripts/sarif_helper.py

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。