Static Analysis Results Interchange Format (SARIF) is an open data format supported by many scan tools, especially tools available as GitHub Actions. You can easily ingest SARIF 2.1.0 data from any tool that supports this format.
Important notes for ingesting SARIF data into STO
This workflow is intended for scanners that have no supported integration in STO. Harness recommends that you always use the documented workflow for supported scanners. For a list of all STO-supported scanners, go to What's supported and click Harness STO scanner support to expand.
Harness STO also supports an STO Custom JSON format for unsupported scanners that can't publish to SARIF. For more information, go to Ingest Results from Unsupported Scanners.
Workflow for ingesting SARIF data into STO
The following workflow describes how to set up an ingestion pipeline for any scanner that supports SARIF.
In your Harness pipeline, go to the Overview tab of the security stage and enter a shared path such as
Publish your scan results to a data file in SARIF 2.1.0 format.
You might want to set up a Run step to generate your scans automatically whenever the pipeline runs.
Copy the SARIF file to the
Add an ingestion step after the Run step and configure it as follows.
If you're using a scanner that has a scanner template, use the scanner template to ingest your results. Set the Scan Mode to Ingestion and configure the step as described in the STO Scanner Reference topic for that step.
If you're using a scanner that does not have a scanner template, use a Custom Ingest step.
Here's an example of how to configure a Gitleaks step to ingest a SARIF data file:
description: gitleaks step
Example workflows for ingesting SARIF data into STO
The following topics describe end-to-end example pipelines for ingesting SARIF data: