Support SARIF

The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools ^1. See a user-friendly documentation for the SARIF file format ^2.

This page contains tools that support SARIF format and thus can be easily integrated in CI.

Supported

• gosec - Go security checker.
• SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code. Option -sarif=filepath, see documentation.
• GCC — The GCC compiler has static analysis capabilities since version 10. This option is only available if GCC was configured with analyzer support enabled. It can also output its diagnostics to a JSON file in the SARIF format (from v13).
• Clang with diagnostic messages, https://lists.llvm.org/pipermail/cfe-dev/2021-March/067907.html
• Clang-Tidy
  • Adding SARIF result format support for clang-tidy
  • ZedThree/clang-tidy-review - Github Action that creates a pull-request review based on the warnings from clang-tidy.
  • clang-tidy-sarif - Rust crate provides a command line tool to convert clang-tidy diagnostic output into SARIF.
• Github, Documentation
• cfn-lint, pull-request
• ESlint, via eslint-formatter-sarif
• JetBrains Qodana, Documentation
• Svace, Documentation
• PVS Studio, Documentation
• semgrep, Documentation
• OSS Fuzz, Documentation
• CodeQL, Documentation
• PyLint supports SARIF output with pylint-sarif
• BinSkim is a binary static analysis tool that provides security and correctness results for Windows Portable Executable and *nix ELF binary formats.
• SonarQube can import Static Analysis Results Interchange Format (SARIF) reports. The issues will be taken into account by SonarQube in the analysis report, but the rules corresponding to these issues will not be visible on the Rules page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool. See documentation.
• GitLeaks protect and discover secrets in Git.
• tfsec is a security scanner for your Terraform code
• TerraScan detect compliance and security violations across Infrastructure as Code (IaC) to mitigate risk before provisioning cloud native infrastructure. See documentation.
• CASR (--sarif out.sarif) collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.
• DefectDojo.
• njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
• FlawFinder is a static analysis tool for finding vulnerabilities in C/C++ source code.
• Bandit with bandit-sarif-formatter. Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.
• Shellcheck, https://github.com/psastras/sarif-rs
• Clang-Tidy, https://github.com/psastras/sarif-rs
• GCC (13+, -fdiagnostics-format=sarif-file), https://gcc.gnu.org/wiki/SARIF
• Frama-C, https://frama-c.com/download/user-manual-25.0-Manganese.pdf
• cppcheck

Unsupported

• GitLab, Issue#118496
• Clang Analyzer, pull-request
• CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Issue#4036.
• Codespell, Issue#1455
• CTest, Issue#23486)
• CBMC (cbmc-viewer), Issue#149
• LuaCheck
• Mull, Issue#953
• pip-audit

SARIF converters

• https://github.com/microsoft/sarif-sdk/tree/master/src/Sarif.Converters
• ReviewDog converts popular output formats to SARIF.
• SARIF Tools - is set of command line tools and Python library for working with SARIF files.
• JUnit
  • sarif-junit aims to convert a SARIF output file from a linter to a JUnit XML output file. It could be used inside GitLab to show which tests are failing in the CI/CD pipeline.
• HTML, https://github.com/microsoft/sarif-web-component

Which are the viewers supporting SARIF?

• https://github.com/trailofbits/vscode-sarif-explorer
• https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
• https://marketplace.visualstudio.com/items?itemName=WDGIS.MicrosoftSarifViewer
• https://github.com/microsoft/sarif-web-component
• https://www.shiftleft.io/scan/