Explore OASIS Static Analysis Results Interchange Format (SARIF)
Problem to solve
OASIS Static Analysis Results Interchange Format (SARIF) is a newer proposal from the OASIS standards consortium. This outlines a common specification for static analysis results which we should evaluate and consider for our own analyzers and/or usage.
Links
- https://sarifweb.azurewebsites.net/
- https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif
- https://github.com/oasis-tcs/sarif-spec
Intended users
Further details
Proposal
Consider standardizing our Category:SAST reporting format or making a compliant export format matching the SARIF standard.
Scanners with native SARIF support
-
gitlab.com/gitlab-org/security-products/analyzers/bandit (via https://github.com/microsoft/bandit-sarif-formatter)(deprecated) -
gitlab.com/gitlab-org/security-products/analyzers/brakeman -
gitlab.com/gitlab-org/security-products/analyzers/eslint(deprecated) -
gitlab.com/gitlab-org/security-products/analyzers/flawfinder -
gitlab.com/gitlab-org/security-products/analyzers/gosec(deprecated) -
gitlab.com/gitlab-org/security-products/analyzers/kics -
gitlab.com/gitlab-org/security-products/analyzers/kubesec -
gitlab.com/gitlab-org/security-products/analyzers/mobsf (via mobsfscan) -
gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan (via njsscan) -
gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit -
gitlab.com/gitlab-org/security-products/analyzers/pmd-apex -
gitlab.com/gitlab-org/security-products/analyzers/security-code-scan -
gitlab.com/gitlab-org/security-products/analyzers/semgrep -
gitlab.com/gitlab-org/security-products/analyzers/sobelow -
gitlab.com/gitlab-org/security-products/analyzers/spotbugs
Permissions and Security
No change to existing permissions
Documentation
Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
Edited by Lucas Charles