SARIF Converter

Convert report from SARIF to other format reports.

• GitLab CodeQuality
• GitLab SAST
• HTML (powered by SARIF Web Component)

Supported Static Analyzer Tools

• Semgrep - Static Code Scanning & Analysis Tool
• GitLab Semgrep analyzer
• Qodana - Code quality platform powered by IntelliJ family
• InspectCode Command-Line Tool - static analyzer for .NET, powered by ReSharper
• Security Code Scan - static code analyzer for .NET
• ESLint - Used together with SARIF formatter for ESLint
• ktlint - Kotlin linter
• BinSkim Binary Analyzer - Portable Executable (PE) light-weight scanner

Usage

Linux only!

$ sarif-converter --help
Usage:
  sarif-converter [OPTIONS] input1.sarif [input2.sarif...] output.json

Application Options:
  -v, --version                      Show version.
  -t, --type=[sast|codequality|html] Output report type. (default: html)
  -r, --src-root=                    Source root path.

Help Options:
  -h, --help                         Show this help message

Install

$ wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux
$ chmod +x sarif-converter

Run

Run a static analysis tool such as Semgrep.

$ semgrep --config=auto --sarif --output=semgrep.sarif .

Convert to GitLab Code Quality json.

$ ./sarif-converter --type codequality semgrep.sarif gl-code-quality-report.json

Conver to GitLab SAST json.

$ ./sarif-converter --type sast semgrep.sarif gl-sast-report.json

Convert to html report.

$ ./sarif-converter --type html semgrep.sarif semgrp-report.html

Security Code Scan

Install Security Code Scan into your .NET project.

$ dotnet new tool-manifest
$ dotnet tool install security-scan

Scan your project.

$ dotnet security-scan YourProject.sln --export=security-scan.sarif

Convert to GitLab CodeQuality report.

$ ./sarif-converter --type codequality --src-root . security-scan.sarif gl-code-quality-report.json

Security Code Scan sarif reports are output as absolute paths. The --src-root argument converts them to relative paths as required by the Code Quality report.

Run in GitLab CI

codequality:sast:
  image: $CI_TEMPLATE_REGISTRY_HOST/security-products/semgrep:3
  before_script:
    - wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux
    - chmod +x sarif-converter
  script:
    - /analyzer run
    - ./sarif-converter --type codequality semgrep.sarif gl-code-quality-report.json
  artifacts:
    reports:
      codequality: gl-code-quality-report.json

Warning

• sast - If start_time and etc is not provided in the SARIF file, ad hoc values are set.

License

MIT