It would be great if sonar could import sarif reports, then reports generated from https://github.com/anchore/scan-action could be imported and displayed in sonar.
Thanks for the suggestion.
Do you know that SonarQube provides a generic way to load issues through its Generic Issue Import Format?
Maybe one thing to try before thinking about a native support of the SARIF format would be to try to convert the SARIF format into the Generic Issue Import Format.
SARIF is generated by the tool - I don’t want to spend time on special sonar adoption - in that case it would be better to just go with github’s offering in the security space instead. Also https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif is standard - while the “generic format” is special for sonar.