Support SARIF - ligurio/sqa-wiki GitHub Wiki

The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools ^1. See a user-friendly documentation for the SARIF file format ^2.

This page contains tools that support SARIF format and thus can be easily integrated in CI.

Supported

• Tracked in another place

WIP

• GitLab, Issue#118496
• Clang Analyzer, pull-request
• Clang
• CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Issue#4036.
• Codespell, Issue#1455
• CTest, Issue#23486
• CBMC (cbmc-viewer), PR#8835 adds an option --sarif-ui, Issue#149
• LuaCheck, PR https://github.com/lunarmodules/luacheck/pull/120
• Mull, Issue#953
• pip-audit, https://github.com/pypa/pip-audit/issues/206

SARIF converters

• https://github.com/microsoft/sarif-sdk/tree/master/src/Sarif.Converters
• ReviewDog converts popular output formats to SARIF.
• SARIF Tools - is set of command line tools and Python library for working with SARIF files.
• JUnit
  • sarif-junit aims to convert a SARIF output file from a linter to a JUnit XML output file. It could be used inside GitLab to show which tests are failing in the CI/CD pipeline.
• HTML, https://github.com/microsoft/sarif-web-component

Which are the viewers supporting SARIF?

• https://github.com/trailofbits/vscode-sarif-explorer
• https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
• https://marketplace.visualstudio.com/items?itemName=WDGIS.MicrosoftSarifViewer
• https://github.com/microsoft/sarif-web-component
• https://www.shiftleft.io/scan/