python script to convert tfsec json output into gitlab sast report, will get parsed by gitlab and result in vulnerabilities being visible/manageable in gitlab vuln management interface

tfsec-json-to-gitlab-sast-report.py

#!/usr/bin/env python3

# MIT License
# 
# Copyright (c) 2025 Nick Doyle
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

import sys
import datetime
import json
import uuid

'''
# Description
Convert tfsec json output to gitlab sast json format
TFSec https://github.com/aquasecurity/tfsec
Gitlab spec https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json

# Usage
Gitlab pipeline like so:

tfsec:
  stage: test
  image: aquasec/tfsec-ci
  allow_failure: true
  script:
    - tfsec --format=json --soft-fail --out tfsec-sast-report.json
  artifacts:
    when: always
    paths:
      - tfsec-sast-report.json

tfsec convert:
  stage: test
  image: python:3.9
  needs: [tfsec]
  script:
    - python3 ./tfsec-json-to-gitlab-sast-report.py ./tfsec-sast-report.json > gitlab-sast-report.json
  artifacts:
    paths:
      - gitlab-sast-report.json
    reports:
      sast: gitlab-sast-report.json

'''


def convert_tfsec_to_gitlab(tfsec_results):
  # Initialize an empty list for gitlab vulnerabilities
  gitlab_vulnerabilities = []
  for result in tfsec_results:
    # Create a dictionary for each gitlab vulnerability
    gitlab_vulnerability = {}
    gitlab_vulnerability["id"] = str(uuid.uuid4())
    gitlab_vulnerability["category"] = "sast"
    gitlab_vulnerability["message"] = result["rule_description"]
    gitlab_vulnerability["description"] = result["description"]
    gitlab_vulnerability["cve"] = ""
    gitlab_vulnerability["severity"] = result["severity"].title()
    gitlab_vulnerability["scanner"] = {
      "id": "tfsec",
      "name": "tfsec"
    }
    gitlab_vulnerability["location"] = {
      "file": result["location"]["filename"],
      "start_line": result["location"]["start_line"],
      "end_line": result["location"]["end_line"]
    }
    gitlab_vulnerability["identifiers"] = [
      {
        "type": "tfsec_id",
        "name": result["long_id"],
        "value": result["rule_id"],
        # Set the url to the first link in the links list
        "url": result["links"][0]
      }
    ]
    gitlab_vulnerabilities.append(gitlab_vulnerability)
  return gitlab_vulnerabilities

def write_gitlab_format(gitlab_vulnerabilities):
  gitlab_format = {}
  gitlab_format["version"] = "15.0.6"
  gitlab_format["vulnerabilities"] = gitlab_vulnerabilities
  gitlab_format["scan"] = {
    "analyzer": {
      "id": "tfsec",
      "name": "tfsec",
      "url": "https://github.com/aquasecurity/tfsec",
      "vendor": {
        "name": "Aqua"
      },
      "version": "v1.28.1"
    },
    "scanner": {
      "id": "tfsec",
      "name": "tfsec",
      "url": "https://github.com/aquasecurity/tfsec",
      "vendor": {
        "name": "Aqua"
      },
      "version": "v1.28.1"
    },
    "type": "sast",
    "start_time": datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S"), #json.dumps(json.loads(json.dumps({"time": None}))['time'], default=str),
    "end_time": datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S"), 
    "status": "success"
  }
  print(json.dumps(gitlab_format, indent=2))

def read_tfsec_report(filename):
  with open(filename, 'r') as f:
    tfsec_report = json.load(f)
  return tfsec_report

def convert_tfsec_report_file_to_gitlab_format(filename):
  tfsec_report = read_tfsec_report(filename)
  tfsec_results = tfsec_report["results"]
  gitlab_vulnerabilities = convert_tfsec_to_gitlab(tfsec_results)
  write_gitlab_format(gitlab_vulnerabilities)

if len(sys.argv) == 2:
  filename = sys.argv[1]
  convert_tfsec_report_file_to_gitlab_format(filename)
else:
  print("Usage: python tfsec-json-to-gitlab-sast-report.py <filename>")
  sys.exit(1)

Would love if you could add any FOSS licence for that :) e.g. MIT

Would love if you could add any FOSS licence for that :) e.g. MIT

Sure, done :)

Perfect - thank you!