It would be great if sonar could import sarif reports, then reports generated from GitHub - anchore/scan-action: Anchore container analysis and scan provided as a GitHub Action could be imported and displayed in sonar.
1 Like
Hello,
Thanks for the suggestion.
Do you know that SonarQube provides a generic way to load issues through its Generic Issue Import Format?
Maybe one thing to try before thinking about a native support of the SARIF format would be to try to convert the SARIF format into the Generic Issue Import Format.
Thanks
Alex
SARIF is generated by the tool - I don’t want to spend time on special sonar adoption - in that case it would be better to just go with github’s offering in the security space instead. Also https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif is standard - while the “generic format” is special for sonar.
6 Likes
Has this been considered? Seems like more tools are arriving on the scene and producing SERIF reports. We are considering significant investment into Sonarqube and many tools seem to be going this route to avoid needing to implement direct integration.
1 Like
Hello,
Thanks for checking. There is still no plan to support by default the SARIF format but we are collecting insights. So feel free to +1 on this thread to express your need with details about the linters/tools you would expect to use this SARIF feature for.
Alex
As Sonar doesn’t pick up a lot of the type errors tools like Psalm find, we would like to import SARIF files as well.
SARIF ingestion would be very useful, please take my +1 too!
+1 for importing kics.io results.
2 Likes
+1, would be useful for https://github.com/SpoonLabs/sorald/ (automatic repair system for SonarQube’s SonarJava)
+1 SARIF support would be useful to read reports from infersharp
+1 SARIF support would be useful to read reports from GitLeaks
+1 Sarif support would be useful to read reports on IaC security scans from Checkov.
1 Like
Hello,
+1
So many tools supporting the SARIF format.
For example a list of Gitlab scanners and opensource tools on a ticket about supporting the SARIF format :
Gitlab is using its own report format for vulnerabilities.
SonarQube/Cloud provides its own format for issues.
Please consider implementing an import of SARIF reports, I really think that following mainstreams would be a better choice for adoption and future of SonarQ/C.
+1
SARIF is the export format supported by Snyk’s tools, too.
I have submitted a request to the SonarQube Roadmap to support SARIF format. It’s not yet been reviewed, but when it is, sincerely hope all of you vote to support it and maybe it gets some traction.
It makes far more sense to support a standard interchange format than having a “Generic Import Tool” and limited / canned PDF reports for extract.
1 Like
Hi folks,
You’ll be happy to know that we are working on the implementation of SARIF file import in SonarQube 
A lot of you mentioned that “my tool X generates results in .sarif format”.
We are interested to know the type of issues your tools are generating : vulnerabilities? bug/code smells? any type?
Thanks for your help
Christophe - DevOps platforms PM
Hi Christophe,
Here I share part of the Terraform testing toolset available in the open-source community which is currently integrating SARIF as a format to export reports (among others):
- checkov - is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
- tfsec - tfsec uses static analysis of your terraform code to spot potential misconfigurations.
- terrascan - Terrascan is a static code analyzer for Infrastructure as Code.
Hope it helps pushing SARIF implementation in SonarQube, what would be awesome.
Thanks for your help,
Joan
2 Likes
Hey @joan.jon , thanks for your answer!
We are currently in the validation phase, we will test with the tools you mentioned
Thanks!
1 Like
Hi Christophe,
It looks like sonarqube 9.8 will be introducing support on importing Sarif reports.
It would be helpful if it could mention the current list of supported tools which are tested and validated.
The list of tools im looking forward to are
- Trivy - Most popular DevSecOps tools - Report Formats - Trivy
- kubescape: [NEW] Kubescape now integrates with GitHub Actions - ARMO
- kubesec: GitHub - controlplaneio/kubesec-action: Runs Kubesec as GitHub action
2 posts were split to a new topic: Trouble importing SARIF reports