Skip to content

Feature: SARIF output

Josh Soref edited this page Feb 28, 2024 · 2 revisions

SARIF output

Static Analysis Results Interchange Format (SARIF) is an industry standard enabling tools and development environments to interoperate.

GitHub has SARIF support for code scanning.

When data is published to GitHub in this format, GitHub is supposed to automatically generate shiny annotations.

Sometimes @github-advanced-security will leave a comment on pull requests:

1000002788

Users of Visual Studio Code can install the SARIF Viewer extension to retrieve the reports.

Timeline

Release Features
v0.0.21 Initial support
v0.0.22 Adjusting sarif.json

Enabling

SARIF support is still very experimental, but the general idea is that you need to give it permissions to write security-events and you need to tell the action to generate them.

Note that you may be able to drop the comment job entirely if you enable SARIF. It's still early, hopefully it'll be clear whether this is in fact correct soon.

jobs:
  spelling:
    permissions:
      # ...
      security-events: write
    # ...
    steps:
    - name: check-spelling
      id: spelling
      uses: check-spelling/check-spelling@main
      with:
        # ...
        use_sarif: 1

Visibility

In general:

Security alerts for a repository are visible to people with write, maintain, or admin access to the repository

See Granting access to security alerts for more information.

This means that if you're a contributor without write access to a repository, you probably won't be able to click the 👼 SARIF report? link.

If you'd like to see a similar report, you should be able to create a pull request in your fork and trigger the same workflow and view the equivalent report there.

Adjusting sarif.json

With v0.0.22, there's the ability to add a sarif.json file to adjust severities or other fields.

This is experimental (as is SARIF support in general).

https://github.com/check-spelling/check-spelling/issues/43

Results

Code scanning in PR

Code scanning list

Code scanning entry

Implementation plan

  • Generate SARIF json
  • Support uploading it using github/codeql-action/upload-sarif@releases/v2
  • Decide on how to opt-in/opt-out of using this format -- currently use_sarif: 1
  • Test in the check-spelling org -- in progress
  • Trial it in other repositories
  • Iterate
Clone this wiki locally