SARIF is the industry standard for static analysis interoperability. Supporting SARIF is specifically useful for:
What is SARIF?
SARIF, the Static Analysis Results Interchange Format, is a standard, JSON-based format for the output of static analysis tools. It has been approved as an OASIS standard.
SARIF is a rich format intended to meet the needs of sophisticated tools, while still being practical for use by simpler tools. Because it would be impractical to support every feature of every tool, SARIF provides an extensibility mechanism to allow tool authors to store custom data that the SARIF format doesn’t directly represent.
Why SARIF?
Historically, every static analysis tool has defined its own output format. These formats are frequently based on standard file formats such as XML or JSON, but beyond that, they have little in common — or at least, not enough to make it feasible for automated systems to consume all the different formats that exist.
This matters because engineering teams, especially large ones, can use dozens of tools. The multiplicity of output formats leads to many problems:
That’s where SARIF comes in. By providing a common tool output format, SARIF reduces the learning burden on users, and makes it possible to create common tooling for all tools: viewers, bug filers, metrics calculators, etc..
| Software | Description | Date / Version Supported |
|---|---|---|
| Bandit | A tool designed to find common security issues in Python code | 1.7.8 |
| BinSkim | Binary static analysis tool that provides security and correctness results for Windows Portable Executable and Unix ELF binary formats | Documentation |
| cfn-lint | CloudFormation Linter | 2021-11-02 / 0.55.0 |
| cppcheck | Static analysis of C/C++ code | 2024-10-27 / 2.16.0 |
| CASR | Collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity | 2023-08-23 / 2.8.0 |
| CMake | CMake is a cross-platform, open-source build system generator | 4.0 |
| CodeQL | Static analyzer | Documentation |
| emmylua-analyzer-rust | EmmyLua Analyzer Rust | 0.14.0 |
| FlawFinder | Static analysis tool for finding vulnerabilities in C/C++ source code | |
| Frama-C | An open-source extensible and collaborative platform dedicated to source-code analysis of C software | 25.0 |
| gosec | Go security checker | 2.23.0 |
| GCC | GCC, the GNU Compiler Collection | 2023-04-26 / 13.1 |
| GitLeaks | Find secrets with Gitleaks | |
| Infer | A static analyzer for Java, C, C++, and Objective-C | 2021-11-21 |
| Mull | Fault injection for C and C++ | 0.32.0 |
| njsscan | Semantic-aware SAST tool that can find insecure code patterns in your Node.js applications | 202-11-16 / 0.1.7 |
| PVS Studio | Static analyzer on guard of code quality, security (SAST), and code safety | Documentation |
| SemGrep | Code Security for Builders | Documentation |
| SpotBugs | SpotBugs is a program which uses static analysis to look for bugs in Java code | 2020-07-30 / 4.1.0 |
| Svace | Static analyzer | Documentation |
| Trivy | Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more | 2024-07-01 / 0.53.0 |
| Github | A proprietary developer platform that allows developers to create, store, manage, and share their code | Documentation |
| JetBrains Qodana | An automated code quality platform | Documentation |
| OSS-Fuzz | A continuous fuzzing for open source software | Documentation |
| SonarQube | A platform to integrate into software development workflows, ensuring continuous code quality and code security | Documentation |
| DefectDojo | A Developer Security Operations (DevSecOps) platform |