Skip to main content

Ingest SARIF scan results into STO

Static Analysis Results Interchange Format (SARIF) is an open data format supported by many scan tools, especially tools available as GitHub Actions. You can easily ingest SARIF 2.1.0 data from any tool that supports this format.

Important notes for ingesting SARIF data into STO

  • This workflow is intended for scanners that have no supported integration in STO. Harness recommends that you always use the documented workflow for supported scanners. For a list of all STO-supported scanners, go to Scanners supported by STO.

  • Harness STO also supports an STO Custom JSON format for unsupported scanners that can't publish to SARIF. For more information, go to Ingest Results from Unsupported Scanners.

Workflow for ingesting SARIF data into STO

The following workflow describes how to set up an ingestion pipeline for any scanner that supports SARIF.

  1. Add a shared path such as /shared/scan_results to the stage. Go to Overview > Shared Paths in the visual editor, or add it to the YAML like this:
    - stage:
      spec:
        sharedPaths:
          - /shared/scan_results

  1. Publish your scan results to a data file in SARIF 2.1.0 format.

    You might want to set up a Run step to generate your scans automatically whenever the pipeline runs.

  2. Copy the SARIF file to the /shared/scan_results folder.

  3. Add an ingestion step after the Run step and configure it as follows.

    • If you're using a scanner that has a scanner template, use the scanner template to ingest your results. Set the Scan Mode to Ingestion and configure the step as described in the STO Scanner Reference topic for that step.

    • If you're using a scanner that does not have a scanner template, use a Custom Ingest step.

Here's an example of how to configure a Gitleaks step to ingest a SARIF data file:

- step:
   type: Gitleaks
   name: gitleaks
   identifier: gitleaks
   spec:
      mode: ingestion
      config: default
      target:
         name: nodegoat
         type: repository
         variant: dev
      advanced:
         log:
         level: debug
      ingestion:
         file: /shared/scan_results/gitleaks.sarif
   description: gitleaks step

Example workflows for ingesting SARIF data into STO

The following topics describe end-to-end example pipelines for ingesting SARIF data: