Import Github Vulernability Scans

[CarpFlop]

Hi all,

I am attempting to import Vulnerabilities from Github Security -> Vulnerability Alerts -> Code Scanning.

While using the API to attempt importing Code scanning alerts directly to DefectDojo I realized it does not accept the format.
So now I am using the parser provided in DefectDojo documentation that leverages GraphQL for Github Vulnerability Alerts but so far that I have seen it is only pulling from the Dependabot.
https://documentation.defectdojo.com/integrations/parsers/file/github_vulnerability/

My questions are:
Is there any inherent DefectDojo functionality for importing Github Advanced Security alerts beyond what I'm seeing? For code scanning and secrete scanning, dependabot aside?

Is there a fast way to adjust DefectDojo's python script example for importing Github vulnerabilities to pull Code Scanning Alerts instead of Dependabot Alerts? I would assume since they are all under "Vulnerability Alerts" that this is possible but haven't been successful yet.

Can/Should I write my own template for importing Github Code Scanning Alerts in the format they're produced when pulled via API from GitHub Repo?

[manuel-sommer]

Hi @CarpFlop,

could you please open up an issue and provide an anonymized sample file of the Github Vulnerability Alerts?
Do I get you right, you try to import the report with the help of the REST API of DefectDojo?
Then, I can help you to adjust the code and get it running.

Best Regards

[CarpFlop]

Hi @manuel-sommer,

Have just finished doing exactly this. Example.json from querying code-scanning results directly, with two example vulnerabilities attached
#9582

You are correct, I pull the code scanning alerts using GitHub API and then attempt to import them using DefectDojo REST API "/import-scan/", marking the scan_type as "Github Vulnerability Scan"