Known Producers and Consumers

This page is not an endorsement of any of the following

Known Producers of SARIF

• ARM Template Best Practice Analyzer is an ARM template validator that scans ARM templates to ensure security and best practice checks are being followed before deployment.
• AWS CloudFormation Linter is a tool that validates AWS CloudFormation yaml/json templates against the AWS CloudFormation Resource Specification and performs additional checks.
• BinSkim is a binary-level security checker that validates Window, Mac and *nix binaries.
• Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
• Checkstyle is a Java style guidelines checking.
• Checkov is a static code analysis tool for infrastructure-as-code.
• Clang Analyzer, the LLVM C/C++ checker, has added SARIF export.
• CodeQL is a multilanguage, intraprocedural checker with a large rule set.
• CodeSonar is a static analysis tool which identifies programming bugs that can result in system crashes, memory corruption, leaks, data races, and security vulnerabilities.
• CredScan is a file scanner that detects plaintext secrets.
• csdiff contains utilities for processing results of static analyzers, dynamic analyzers, and formal verification tools.
• DartAnalyzer is a dart/flutter analyzer.
• Detekt is a static code analysis tool for the Kotlin programming language.
• DevSkim is a set of IDE checkers and language analyzers that provide inline security analysis.
• Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
• Flawfinder is a C/C++ source code security checker.
• FortifyVulnerabilityExporter allows exporting vulnerabilities from Fortify on Demand and Fortify Software Security Center to third-party products and output formats.
• GCC, the GNU Compiler Collection can emit its diagnostics in SARIF format from GCC 13 onwards
• GitHub CodeQL
• GoSec is a GoLang security checker.
• Kubesec, backed by ControlPlane.io provides Security risk analysis for Kubernetes resources.
• Mayhem is an application security platform for identifying defects in software.
• MobSF is is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
• NodeJSScan is a Static security code scanner (SAST) for Node.js applications.
• Psalm is an open source tool for finding security vulnerabilities in PHP.
• PMD is a multilanguage source code analyzer.
• PSScriptAnalyzer is a static code checker for PowerShell modules and scripts
• PREfast is the C/C++ correctness checker behind the Microsoft compiler /analyze switch.
• Roslyn is a platform for analyzing and rewriting C#/VB.NET code.
• SARIF Pattern Matcher is a security-focused pattern matcher that detects (and in some cases authenticates) plaintext secrets, sensitive data, etc.
• Security Code Scan is a Vulnerability Patterns Detector for C# and VB.NET.
• Semgrep, sponsored by R2C, supports a variety of languages.
• Sobelow is the security-focused static analyzer for the Elixir Phoenix Framework.
• SpotBugs is a Java code checker.
• TerraScan is a static code analysis tool for infrastructure-as-code.
• TFSec uses static analysis of your terraform templates to spot potential security issues.
• Trivy is a vulnerability scanner for containers and other artifacts.
• Upgrade Assistant is a project that enables automation of common tasks related to upgrading .NET Framework projects to the latest versions of .NET.

Known Consumers of SARIF

• csdiff contains utilities for processing results of static analyzers, dynamic analyzers, and formal verification tools.
• Fortify SSC Parser is a plugin allowing import of SARIF files into Fortify Application Security
• GitHub Advanced Security code scanning
• React component
• Visual Studio extension
• VS Code extension
• Warnings plugin for Jenkins