Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025
- Version
- 1.1.0
- Maintainers
- 1
SecScanner2JUnit
GitLab offers security scanning and visualization directly via and on their platform.
One nice feature is direct insights on merge requests. However, this feature is only available with the Ultimate tier. To also use this feature on the free tier, one can build around it by taking the security tool output, converting it to the JUnit format, and uploading it as JUnit report.
To summarize, this tool is for you if:
- You use GitLab's free tier
- You use Gitlabs security templates
- You want to easily access security tool output in merge requests
If you are on the GitLabs Ultimate tier, just use their tooling! No need to mess up your .gitlab-ci.yml file. :smile:
Which scanning types are supported?
All scanning types available under the free tier:
- Secret Scanning
- Static Application Security Testing (SAST)
- Container Scanning
- Infrastructure as Code Scanning
How to use?
Procedure:
- Overwrite the existing job so that the report can be used by future jobs.
- Convert report
- Upload converted report as junit report
Report input types:
You can use following report types as inputs with ss2ju command. (f.e ss2ju sast ....)
Example for Secret Scanning
This example can be used as is.
stages:
- test
- convert
- include:
- template: Security/Secret-Detection.gitlab-ci.yml
secret_detection:
artifacts:
paths:
- gl-secret-detection-report.json
when: always
secret_convert:
stage: convert
dependencies:
- secret_detection
script:
- pip3 install SecScanner2JUnit
- ss2ju secrets gl-secret-detection-report.json gl-secret-detection-report.xml
artifacts:
reports:
junit: gl-secret-detection-report.xml
Example for SAST
Since GitLab decides dynamically which scanners to use depending on project languages, it makes sense to first perform a testrun only including the template. This way one can see which jobs are executed and then overwrite them.
stages:
- test
- convert
- include:
- template: Security/SAST.gitlab-ci.yml
semgrep-sast:
after_script:
- cp gl-sast-report.json gl-sast-semgrep-report.json
artifacts:
paths:
- gl-sast-semgrep-report.json
when: always
brakeman-sast:
after_script:
- cp gl-sast-report.json gl-sast-brakeman-report.json
artifacts:
paths:
- gl-sast-brakeman-report.json
when: always
semgrep-sast-convert:
stage: convert
dependencies:
- semgrep-sast
script:
- pip3 install SecScanner2JUnit
- ss2ju sast gl-sast-semgrep-report.json gl-sast-semgrep-report.xml
artifacts:
reports:
junit: gl-sast-semgrep-report.xml
brakeman-sast-convert:
stage: convert
dependencies:
- brakeman-sast
script:
- pip3 install SecScanner2JUnit
- ss2ju sast gl-sast-brakeman-report.json gl-sast-brakeman-report.xml
artifacts:
reports:
junit: gl-sast-brakeman-report.xml
Example for Container Scanning
- include:
- template: Jobs/Build.gitlab-ci.yml #Build and push the container image
- template: Security/Container-Scanning.gitlab-ci.yml #Scan the built image
container_scanning:
artifacts:
paths:
- gl-container-scanning-report.json
when: always
container_scanning-convert:
stage: convert
dependencies:
- container_scanning
script:
- pip3 install SecScanner2JUnit
- ss2ju container_scanning gl-container-scanning-report.json gl-container-scanning-report.xml
artifacts:
reports:
junit: gl-container-scanning-report.xml
Suppression
You can provide a file with suppression which will allow to ignore some vulnerabilities.
You have to create a file ss2ju-config.yml f.e. in .gitlab directory which includes:
sast:
suppressions:
- type: "cwe"
value: "2555"
- type: "find_sec_bugs_type"
value: "SPRING_ENDPOINT"
- id: "db914ce5737b49650ae650fc3b0fe38a531eadd8ea780f48a013419c4adec7f0"
And now you can modify execution commands as follows:
- ss2ju sast gl-sast-semgrep-report.json gl-sast-semgrep-report.xml .gitlab/ss2ju-config.yml
Usage with docker
For easier usage in CI, Secscanner2JUnit is also shipped in a docker container: https://hub.docker.com/r/logchange/secscanner2junit
Its' usage is similar to the ways described above:
...
secret_convert:
stage: convert
image:
name: logchange/secscanner2junit:latest
entrypoint: [""]
dependencies:
- secret_detection
script:
- ss2ju secrets gl-secret-detection-report.json gl-secret-detection-report.xml
artifacts:
reports:
junit: gl-secret-detection-report.xml
Development
Create Python Virtual Environment
python -m venv ./venv
Activate Python Virtual Environment
source ./venv/bin/activate
Install dependencies
poetry install
Run tests
poetry run pytest
FAQs
Convert Security Scanner Output to JUnit Format
We found that secscanner2junit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Announcing Socket Fix 2.0
Socket Fix 2.0 brings targeted CVE remediation, smarter upgrade planning, and broader ecosystem support to help developers get to zero alerts.
By Martin Torp, John-David Dalton, Jeppe Fredsgaard Blaabjerg, Benjamin Barslev, Oskar Haarklou Veileborg - Sep 10, 2025
Security News
Feross on Risky Business Weekly Podcast: npm’s Ongoing Supply Chain Attacks
Socket CEO Feross Aboukhadijeh joins Risky Business Weekly to unpack recent npm phishing attacks, their limited impact, and the risks if attackers get smarter.
By Sarah Gooding - Sep 10, 2025