SARIF

SARIF (Static Analysis Results Interchange Format) is a standard format for the output of static analysis tools. It can be used to show alerts in your GitHub repository as a part of the code scanning experience.

A typical output looks like this

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Checkov",
          "version": "2.3.55",
          "informationUri": "https://www.checkov.io/",
          "rules": [
            {
              "id": "CKV_AWS_21",
              "name": "Ensure the S3 bucket has versioning enabled",
              "shortDescription": {
                "text": "Ensure the S3 bucket has versioning enabled"
              },
              "fullDescription": {
                "text": "Ensure the S3 bucket has versioning enabled"
              },
              "help": {
                "text": "Ensure the S3 bucket has versioning enabled\nResource: aws_s3_bucket.operations"
              },
              "helpUri": "https://docs.bridgecrew.io/docs/s3_16-enable-versioning",
              "defaultConfiguration": {
                "level": "error"
              }
            },
            {
              "id": "CKV_AWS_3",
              "name": "Ensure all data stored in the EBS is securely encrypted",
              "shortDescription": {
                "text": "Ensure all data stored in the EBS is securely encrypted"
              },
              "fullDescription": {
                "text": "Ensure all data stored in the EBS is securely encrypted"
              },
              "help": {
                "text": "Ensure all data stored in the EBS is securely encrypted\nResource: aws_ebs_volume.web_host_storage"
              },
              "helpUri": "https://docs.bridgecrew.io/docs/general_7",
              "defaultConfiguration": {
                "level": "error"
              }
            }
          ],
          "organization": "bridgecrew"
        }
      },
      "results": [
        {
          "ruleId": "CKV_AWS_21",
          "ruleIndex": 0,
          "level": "error",
          "attachments": [],
          "message": {
            "text": "Ensure the S3 bucket has versioning enabled"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "s3.tf"
                },
                "region": {
                  "startLine": 1,
                  "endLine": 3,
                  "snippet": {
                    "text": "resource aws_s3_bucket \"operations\" {\n  bucket = \"example\"\n}\n"
                  }
                }
              }
            }
          ]
        },
        {
          "ruleId": "CKV_AWS_3",
          "ruleIndex": 1,
          "level": "error",
          "attachments": [],
          "message": {
            "text": "Ensure all data stored in the EBS is securely encrypted"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "ec2.tf"
                },
                "region": {
                  "startLine": 5,
                  "endLine": 7,
                  "snippet": {
                    "text": "resource aws_ebs_volume \"web_host_storage\" {\n  availability_zone = \"us-west-2a\"\n}\n"
                  }
                }
              }
            }
          ]
        }
      ]
    }
  ]
},

The output can be created via the output flag

checkov -d . -o sarif

Structure

Further information on the different elements and attributes can be found here.