DEV Community

Hollow Man
Hollow Man

Posted on

2 1 1 1

Code reviews and Suggestions from SARIF report

What I built

SARIF support for Reviewdog

Category Submission:

Maintainer Must-Haves

App Link

https://github.com/HollowMan6/sarif4reviewdog/pull/5

Screenshots

eg

Description

SARIF, the Static Analysis Results Interchange Format, is a standard, JSON-based format for the output of static analysis tools.

This action enables the maintainers to integrate the fixes proposed by static code analysis tools right from the PR comments.

Link to Source Code

https://github.com/HollowMan6/sarif4reviewdog

Permissive License

MIT

Background

https://github.com/orgs/community/discussions/52156

GitHub Code Scanning supports generating alerts from the SARIF report, but it can't show the proposed fixes from the report. It can be a good addition to give us the option to make commits to the codebase based on the proposed fixes.

Then I submitted the feature request, but no one respond anything, so why not realize it by myself instead?

How I built it

In SARIF, The fix object represents a proposed fix for the problem indicated by the Result. It specifies a set of artifacts to modify. For each artifact, it specifies regions to remove and provides new content to insert.

I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.

Additional Resources/Info

This Action is currently used by kubescape, a Cloud Native Computing Foundation (CNCF) sandbox project. It is an open-source Kubernetes security platform and includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.

đź‘‹ While you are here

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

đź‘‹ Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay