DEV Community

Cover image for SpotBugs supports SARIF that helps integration with other SAST tools
Kengo TODA
Kengo TODA

Posted on

SpotBugs supports SARIF that helps integration with other SAST tools

Are you using SAST tools? How many tools you're using? Just one? Then it's fine. A few? It's still working, probably. More? Welcome to one of difficulties of DevSecOps!

Currently, when we maintain a system, it's quite common to depend on multiple languages and ecosystems. If system is enough small, a one-stop SAST solution should be enough... but later you may find it's not enough.

Then how to integrate reports generated by multiple SAST tools, to grab the overview of your system? The Static Analysis Results Interchange Format (SARIF) could be a solution.

SARIF is an OASIS standard and an industry standard format for the output of static analysis tools. Configure each SAST tool to generate a SARIF report, then we can merge reports to get a simple overview of the service. The GitHub Code scanning is one example, it works as a dashboard of all SAST tools like below:

GitHub Code scanning Example

How to configure SpotBugs to generate a SARIF report

First, it's better to use SpotBugs 4.4.1 and above, that includes a fix to make SARIF report compatible with Github code scanning API requirements.

If you use command line interface to run SpotBugs, append -sarif option.

If you are using Gradle, configure tasks with SpotBugsTask to set reports.sarif.enabled:

spotbugsMain {
    reports {
        sarif {
            enabled = true
Enter fullscreen mode Exit fullscreen mode

If you are using Maven, configure the plugin with <sarifOutput>true</sarifOutput>:

Enter fullscreen mode Exit fullscreen mode

Refer to spotbugs/spotbugs-gradle-plugin as a living example with GitHub Code scanning integration.

Hope that this guide helps you to find new way to handle SAST tool reports, and make your hacking awesome!

Top comments (0)