DEV Community: Shiva The latest articles on DEV Community by Shiva (@shivasurya). https://dev.to/shivasurya https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F7930%2Fe765316c-ef50-416c-b67f-07582a1c3255.png DEV Community: Shiva https://dev.to/shivasurya en Unlocking the Power of SARIF: The Backbone of Modern Static Analysis Shiva Sat, 22 Mar 2025 16:39:00 +0000 https://dev.to/shivasurya/unlocking-the-power-of-sarif-the-backbone-of-modern-static-analysis-9lc https://dev.to/shivasurya/unlocking-the-power-of-sarif-the-backbone-of-modern-static-analysis-9lc <p>Static analysis tools are indispensable for modern software security, but integrating them seamlessly into DevSecOps pipelines is often a challenge. Each tool frequently outputs its findings in proprietary formats, leaving teams to cobble together custom solutions to parse, aggregate, and manage results. Enter <strong>SARIF (Static Analysis Results Interchange Format)</strong>—an open standard that streamlines this process.</p> <p>In this deep dive, we’ll explore the SARIF file format from top to bottom: why it exists, its structure, the benefits it brings to security engineers and DevSecOps teams, and how modern tools like <a href="https://codepathfinder.dev/blog/codeql-oss-alternative/" rel="noopener noreferrer">CodePathfinder - Open Source SAST Scanner alternative to CodeQL</a> leverage SARIF to elevate static analysis workflows. Whether you’re new to SARIF or looking to deepen your technical expertise, this guide is your one-stop resource.</p> <h2> What is SARIF and Why Does It Matter? </h2> <p><strong>SARIF (Static Analysis Results Interchange Format)</strong> is a standardized JSON schema designed to represent the output of static analysis tools. Born out of a need to unify disparate formats, SARIF simplifies how tools report their findings, making it easier for security engineers to consume, triage, and act on vulnerabilities.</p> <p>At <a href="https://codepathfinder.dev" rel="noopener noreferrer">CodePathfinder</a>, SARIF is at the core of the reporting process, enabling seamless integration into DevSecOps pipelines and allowing security teams to efficiently manage and remediate issues.</p> <h2> The SARIF Structure: Anatomy of a Standard </h2> <p>At its core, SARIF is a JSON document conforming to a well-defined schema (the latest is version 2.1.0). Here’s a breakdown of its key components:</p> <h3> 1. <code>$schema</code> and <code>version</code> </h3> <p>These fields identify the SARIF schema and its version, typically 2.1.0.</p> <h3> 2. <code>runs</code> </h3> <p>An array where each item represents a single tool execution. In <a href="https://codepathfinder.dev" rel="noopener noreferrer">CodePathfinder.dev</a>, each analysis job generates one SARIF <code>run</code>.</p> <h3> 3. <code>tool</code> </h3> <p>Describes the tool that performed the analysis. CodePathfinder includes metadata about the scan engine, its version, and the rules applied.</p> <h3> 4. <code>results</code> </h3> <p>This is where the findings are captured. Each entry describes a security issue, including:</p> <ul> <li> <code>ruleId</code>: Ties the finding back to a specific rule.</li> <li> <code>message</code>: A description of the issue.</li> <li> <code>locations</code>: Source code locations, including file path and line numbers.</li> </ul> <h3> 5. <code>rules</code> </h3> <p>Defined in <code>tool.driver.rules</code>, this section catalogs all possible rules that were applied during a scan. It includes severity levels, descriptions, and remediation guidance.</p> <h2> A SARIF Example from CodePathfinder </h2> <p>Here’s a example SARIF snippet generated by CodePathfinder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://json.schemastore.org/sarif-2.1.0.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"runs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"driver"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pathfinder"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"informationUri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://codepathfinder.dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CWE-89"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SQL Injection Risk"</span><span class="p">,</span><span class="w"> </span><span class="nl">"shortDescription"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Potential SQL injection detected."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"fullDescription"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Unvalidated user input in SQL query."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"defaultConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"security-severity"</span><span class="p">:</span><span class="w"> </span><span class="mf">9.5</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"results"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ruleId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CWE-89"</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"text"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Possible SQL Injection via unvalidated input."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"locations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"physicalLocation"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"artifactLocation"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"src/main/java/com/example/Database.java"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"startLine"</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="nl">"startColumn"</span><span class="p">:</span><span class="w"> </span><span class="mi">13</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Benefits of SARIF for Security Engineers </h2> <h3> 1. <strong>Standardized Reporting</strong> </h3> <p>No more wrangling custom parsers for different tools. SARIF ensures all findings conform to a common standard, making them compatible with platforms like GitHub Code Scanning.</p> <h3> 2. <strong>Interoperability</strong> </h3> <p>Whether your pipeline includes custom scripts, security dashboards, or third-party integrations, SARIF allows results to flow smoothly through your DevSecOps toolchain.</p> <h3> 3. <strong>Enhanced Triage</strong> </h3> <p>Rich metadata, including file locations, severity levels, and data flows, are standardized. Security engineers can easily filter, prioritize, and act on vulnerabilities.</p> <h3> 4. <strong>Compatibility with GitHub Code Scanning</strong> </h3> <p>By outputting SARIF, results can be uploaded directly into GitHub Code Scanning alerts. Developers see issues highlighted in pull requests with full traceability.</p> <h2> CodePathfinder: SARIF-Enabled Static Analysis </h2> <p>CodePathfinder.dev was designed to leverage SARIF for maximum interoperability. Whether you're running a standalone scan or integrating into CI/CD pipelines, our SARIF outputs ensure seamless compatibility.</p> <p>By adopting CodePathfinder.dev, your team gains:</p> <ul> <li> <strong>Precision scans</strong> across Java projects (and more languages coming soon!)</li> <li> <strong>SARIF-based reports</strong> ready for integration with GitHub, Azure DevOps, and other platforms</li> <li> <strong>Rich rule metadata</strong> for clear remediation guidance</li> <li> <strong>Open and extensible output</strong> for custom workflows</li> </ul> <h2> Getting Started with CodePathfinder and SARIF </h2> <p>Ready to see SARIF in action? Start scanning with CodePathfinder today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CodePathfinder SAST Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">codepathfinder/codepathfinder-action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s1">'</span><span class="s">.'</span> <span class="na">output</span><span class="pi">:</span> <span class="s1">'</span><span class="s">output.sarif'</span> </code></pre> </div> <p>Then upload to GitHub Code Scanning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload SARIF results to GitHub</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/code-scanning/upload-sarif@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">output.sarif</span> </code></pre> </div> <h2> Conclusion </h2> <p>SARIF is transforming how static analysis results are shared and consumed. By standardizing on SARIF, security teams gain consistency, clarity, and powerful integration capabilities.</p> <p>At <a href="https://codepathfinder.dev" rel="noopener noreferrer">CodePathfinder</a>, we are committed to leveraging SARIF to deliver robust open source static analysis and seamless DevSecOps integration. Visit <a href="https://codepathfinder.dev" rel="noopener noreferrer">codepathfinder</a> to learn more and get started today.</p> sast sastscanning security appsec