Hi,
Sorry for lateness on the topic.
So getting this as a votable gate is going to take a fair amount of work. Currently the tool does the following:
Walk through directories and folders to discover what language is used. It then matches up a scanning tool based on the findings. You can see this in the following conditional:
if py and not (java or c):
run_bandit(reports_dir, project, projdir)
# Project contains c files
if c and not (java):
run_rats(reports_dir, project, projdir)
# Project contains only java files
if java and not (py or c):
run_pmd(reports_dir, project, projdir)
# Project contains a mix of c and python
if c and py and not (java):
run_rats(reports_dir, project, projdir)
if rb or php or perl:
run_rats(reports_dir, project, projdir)
Whereby we have three scanners (rats, bandit and PMD):
Bandit (Python) https://github.com/openstack/bandit
PMD (Java) https://pmd.github.io/
Rats (C / C++, Ruby, Perl) https://code.google.com/archive/p/rough-auditing-tool-for-security/
Each of these tools generates a html report (but using their own formatting) - this means we would need three sets of seralizers to parse out FAIL / PASS results.
An exception to the above is Bandit, which being an openstack developed tool can more easily be wired into gerrit / jenkins (but it only lints python code).
Another key consideration, is false positives, as in some FAILS maybe be acceptable when considered by a human.
So with this in mind I think the following would be a good approach.
Generate reports as above, and provide them as Jenkins check non votable.
Extend the tool to look for private keys, blobs, binaries and other nasty stuff and have those as gates with a vote.