DEV Community

Hollow Man
Hollow Man

Posted on

Code reviews and Suggestions from SARIF report

What I built

SARIF support for Reviewdog

Category Submission:

Maintainer Must-Haves

App Link

https://github.com/HollowMan6/sarif4reviewdog/pull/5

Screenshots

eg

Description

SARIF, the Static Analysis Results Interchange Format, is a standard, JSON-based format for the output of static analysis tools.

This action enables the maintainers to integrate the fixes proposed by static code analysis tools right from the PR comments.

Link to Source Code

https://github.com/HollowMan6/sarif4reviewdog

Permissive License

MIT

Background

https://github.com/orgs/community/discussions/52156

GitHub Code Scanning supports generating alerts from the SARIF report, but it can't show the proposed fixes from the report. It can be a good addition to give us the option to make commits to the codebase based on the proposed fixes.

Then I submitted the feature request, but no one respond anything, so why not realize it by myself instead?

How I built it

In SARIF, The fix object represents a proposed fix for the problem indicated by the Result. It specifies a set of artifacts to modify. For each artifact, it specifies regions to remove and provides new content to insert.

I build a general converter from SARIF to Reviewdog Diagnostic Format (RDFormat), then use Reviewdog to give suggested code changes as well as the context of the changes for PR reviewing.

Additional Resources/Info

This Action is currently used by kubescape, a Cloud Native Computing Foundation (CNCF) sandbox project. It is an open-source Kubernetes security platform and includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.

Top comments (0)