Ingest SARIF scan results
Static Analysis Results Interchange Format (SARIF) is an open data format supported by many scan tools, especially tools available as GitHub Actions. You can easily ingest SARIF 2.1.0 data from any tool that supports this format.
Important notes for ingesting SARIF data into STO
-
This workflow is intended for scanners that have no supported integration in STO. Harness recommends that you always use the documented workflow for supported scanners. For a list of all STO-supported scanners, go to Scanners supported by STO.
-
Harness STO also supports an STO Custom JSON format for unsupported scanners that can't publish to SARIF. For more information, go to Ingest Results from Unsupported Scanners.
Workflow for ingesting SARIF data into STO
The following workflow describes how to set up an ingestion pipeline for any scanner that supports SARIF.
- Add a shared path such as
/shared/scan_results
to the stage. Go to Overview > Shared Paths in the visual editor, or add it to the YAML like this:
- stage:
spec:
sharedPaths:
- /shared/scan_results
-
Publish your scan results to a data file in SARIF 2.1.0 format.
You might want to set up a Run step to generate your scans automatically whenever the pipeline runs.
-
Copy the SARIF file to the
/shared/scan_results
folder. -
Add an ingestion step after the Run step and configure it as follows.
-
If your scanner has its own step in the Step Library, add that step. If your scanner doesn't have its own step, add a Custom Ingest step.
-
Set the Scan Mode to Ingestion.
-
Enter the full path and filename in Ingestion File.
-
Here's an example of how to configure a Gitleaks step to ingest a SARIF data file:
- step:
type: Gitleaks
name: gitleaks
identifier: gitleaks
spec:
mode: ingestion
config: default
target:
name: nodegoat
type: repository
variant: dev
advanced:
log:
level: debug
ingestion:
file: /shared/scan_results/gitleaks.sarif
description: gitleaks step
Example workflows for ingesting SARIF data into STO
The following topics describe end-to-end example pipelines for ingesting SARIF data: