Skip to main content

Ingest SARIF scan results

Static Analysis Results Interchange Format (SARIF) is an open data format supported by many scan tools, especially tools available as GitHub Actions. You can easily ingest SARIF 2.1.0 data from any tool that supports this format.

Important notes for ingesting SARIF data into STO

  • This workflow is intended for scanners that have no supported integration in STO. Harness recommends that you always use the documented workflow for supported scanners. For a list of all STO-supported scanners, go to Scanners supported by STO.

  • Harness STO also supports an STO Custom JSON format for unsupported scanners that can't publish to SARIF. For more information, go to Ingest Results from Unsupported Scanners.

Workflow for ingesting SARIF data into STO

The following workflow describes how to set up an ingestion pipeline for any scanner that supports SARIF.

  1. Add a shared path such as /shared/scan_results to the stage. Go to Overview > Shared Paths in the visual editor, or add it to the YAML like this:
    - stage:
      spec:
        sharedPaths:
          - /shared/scan_results

  1. Publish your scan results to a data file in SARIF 2.1.0 format.

    You might want to set up a Run step to generate your scans automatically whenever the pipeline runs.

  2. Copy the SARIF file to the /shared/scan_results folder.

  3. Add an ingestion step after the Run step and configure it as follows.

    1. If your scanner has its own step in the Step Library, add that step. If your scanner doesn't have its own step, add a Custom Ingest step.

    2. Set the Scan Mode to Ingestion.

    3. Enter the full path and filename in Ingestion File.

Here's an example of how to configure a Gitleaks step to ingest a SARIF data file:

- step:
   type: Gitleaks
   name: gitleaks
   identifier: gitleaks
   spec:
      mode: ingestion
      config: default
      target:
         name: nodegoat
         type: repository
         variant: dev
      advanced:
         log:
         level: debug
      ingestion:
         file: /shared/scan_results/gitleaks.sarif
   description: gitleaks step

Example workflows for ingesting SARIF data into STO

The following topics describe end-to-end example pipelines for ingesting SARIF data: