Static analysis tools are indispensable for modern software security, but integrating them seamlessly into DevSecOps pipelines is often a challenge. Each tool frequently outputs its findings in proprietary formats, leaving teams to cobble together custom solutions to parse, aggregate, and manage results. Enter SARIF (Static Analysis Results Interchange Format)—an open standard that streamlines this process.
In this deep dive, we’ll explore the SARIF file format from top to bottom: why it exists, its structure, the benefits it brings to security engineers and DevSecOps teams, and how modern tools like CodePathfinder - Open Source SAST Scanner alternative to CodeQL leverage SARIF to elevate static analysis workflows. Whether you’re new to SARIF or looking to deepen your technical expertise, this guide is your one-stop resource.
What is SARIF and Why Does It Matter?
SARIF (Static Analysis Results Interchange Format) is a standardized JSON schema designed to represent the output of static analysis tools. Born out of a need to unify disparate formats, SARIF simplifies how tools report their findings, making it easier for security engineers to consume, triage, and act on vulnerabilities.
At CodePathfinder, SARIF is at the core of the reporting process, enabling seamless integration into DevSecOps pipelines and allowing security teams to efficiently manage and remediate issues.
The SARIF Structure: Anatomy of a Standard
At its core, SARIF is a JSON document conforming to a well-defined schema (the latest is version 2.1.0). Here’s a breakdown of its key components:
1. $schema and version
These fields identify the SARIF schema and its version, typically 2.1.0.
2. runs
An array where each item represents a single tool execution. In CodePathfinder.dev, each analysis job generates one SARIF run.
3. tool
Describes the tool that performed the analysis. CodePathfinder includes metadata about the scan engine, its version, and the rules applied.
4. results
This is where the findings are captured. Each entry describes a security issue, including:
-
ruleId: Ties the finding back to a specific rule. -
message: A description of the issue. -
locations: Source code locations, including file path and line numbers.
5. rules
Defined in tool.driver.rules, this section catalogs all possible rules that were applied during a scan. It includes severity levels, descriptions, and remediation guidance.
A SARIF Example from CodePathfinder
Here’s a example SARIF snippet generated by CodePathfinder:
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "pathfinder",
"version": "1.0.0",
"informationUri": "https://codepathfinder.dev",
"rules": [
{
"id": "CWE-89",
"name": "SQL Injection Risk",
"shortDescription": { "text": "Potential SQL injection detected." },
"fullDescription": { "text": "Unvalidated user input in SQL query." },
"defaultConfiguration": { "level": "error" },
"properties": { "security-severity": 9.5 }
}
]
}
},
"results": [
{
"ruleId": "CWE-89",
"level": "error",
"message": { "text": "Possible SQL Injection via unvalidated input." },
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": "src/main/java/com/example/Database.java" },
"region": { "startLine": 42, "startColumn": 13 }
}
}
]
}
]
}
]
}
Benefits of SARIF for Security Engineers
1. Standardized Reporting
No more wrangling custom parsers for different tools. SARIF ensures all findings conform to a common standard, making them compatible with platforms like GitHub Code Scanning.
2. Interoperability
Whether your pipeline includes custom scripts, security dashboards, or third-party integrations, SARIF allows results to flow smoothly through your DevSecOps toolchain.
3. Enhanced Triage
Rich metadata, including file locations, severity levels, and data flows, are standardized. Security engineers can easily filter, prioritize, and act on vulnerabilities.
4. Compatibility with GitHub Code Scanning
By outputting SARIF, results can be uploaded directly into GitHub Code Scanning alerts. Developers see issues highlighted in pull requests with full traceability.
CodePathfinder: SARIF-Enabled Static Analysis
CodePathfinder.dev was designed to leverage SARIF for maximum interoperability. Whether you're running a standalone scan or integrating into CI/CD pipelines, our SARIF outputs ensure seamless compatibility.
By adopting CodePathfinder.dev, your team gains:
- Precision scans across Java projects (and more languages coming soon!)
- SARIF-based reports ready for integration with GitHub, Azure DevOps, and other platforms
- Rich rule metadata for clear remediation guidance
- Open and extensible output for custom workflows
Getting Started with CodePathfinder and SARIF
Ready to see SARIF in action? Start scanning with CodePathfinder today:
- name: CodePathfinder SAST Scan
uses: codepathfinder/codepathfinder-action@v1
with:
project: '.'
output: 'output.sarif'
Then upload to GitHub Code Scanning:
- name: Upload SARIF results to GitHub
uses: github/code-scanning/upload-sarif@v1
with:
sarif_file: output.sarif
Conclusion
SARIF is transforming how static analysis results are shared and consumed. By standardizing on SARIF, security teams gain consistency, clarity, and powerful integration capabilities.
At CodePathfinder, we are committed to leveraging SARIF to deliver robust open source static analysis and seamless DevSecOps integration. Visit codepathfinder to learn more and get started today.
Top comments (0)