SonarCloud can import SARIF files to load external issues

Dear Community,

We are thrilled to announce a highly expected feature that has finally arrived on SonarCloud: the ability to import SARIF files to load external issues! This functionality, which has been available on SonarQube for a couple of years, has now been successfully ported to SonarCloud.

As in SonarQube, all issues created from a SARIF file are categorized as Vulnerabilities impacting the software quality “Security”. Currently, there is no way to override this default mapping. The severity of the issues is controlled by the severity field available at the rule level in the SARIF file.
See the documentation for more details.

We understand that this default mapping may not suit all use cases, and this is why we are eager to hear from you about how you are leveraging this new capability and how we could improve it.
We are currently conducting a survey to better understand your SARIF needs, and we encourage you to participate.

How to use it?

Add the property sonar.sarifReportPaths with the path to one SARIF file to your favourite SonarScanner.

Enjoy
Alex

1 Like