Generating Decorated SARIF Reports

What is a SARIF Report?

SARIF (Static Analysis Results Interchange Format) is a standardized file format used to represent the results of static code analysis. SARIF reports help developers and security teams:

• Track issues such as bugs, code smells, or vulnerabilities for your branch and PR requests.

• Understand issue metadata (e.g., severity, category/type)

• Integrate results with tools like GitHub Advanced Security, Azure DevOps, or custom dashboards

⚙️ How SARIF File Generation Works in the Workflow

• You cannot enable both generateSarifFile and generateReportFile as true within a single configuration.

• The generateSarifFile flag controls the generation of reports on both the server and client sides:

  • When generateSarifFile is set to true, server-side reports are generated.

  • When generateSarifFile is set to false, client-side reports are generated. In this case, it is not necessary to explicitly set generateReportFile: true, as it is enabled by default in the configuration.

There are two types of report generation in the system:

1. Server-Side SARIF File – Controlled by generateSarifFile

2. Client-Side Report File – Controlled by generateReportFile ( SARIF, SAST )

Each has its own use case and default behavior.

🧩 Configurations and Their Defaults

Why we have two different repo generations in CodeScan: Functional Differences

🧠 Why These Two Options?

• Server-side SARIF (generateSarifFile: true) This option produces a comprehensive SARIF report, including all issues (open + resolved), Security Hotspots and full metadata such as Type and Severity. This is crucial for:

  • Security auditing

  • Historical tracking

  • Full integration with enterprise-grade systems

We can also generate codescan reports using sfdx and sonarcanner cli by passing the correct parameters in the command -Dsonar.analysis.report.enabled=true -Dsonar.analysis.report.type=sarif

• Client-side SARIF (generateReportFile: true or generateSarifFile: false) This is useful for developers during early analysis or CI runs where only open issues are needed. It creates a basic report with just open issues, but with metadata like Type and Severity for rules and results. Ideal for quick checks.

We can also generate codescan reports using sfdx and sonarcanner cli by passing the correct parameters in the command -Dcodescan.reports.enabled=true -Dcodescan.reports.type=sarif or sast

✅ Summary of Behavior

Example: Rules sample format:

"rules": [
{
"id": "sf:LeftBracesLinePositions",
"name": "Left Braces Positioning Should Be Consistent",
"shortDescription": {
"text": "Left Braces Positioning Should Be Consistent"
},
"fullDescription": {
"text": "Left Braces Positioning Should Be Consistent"
},
"defaultConfiguration": {
"enabled": true,
"level": "warning"
},
"help": {
"text": "Left Braces Positioning Should Be Consistent [Type: Code Smell, Severity: Minor]"
},
"properties": {
"tags": [
"dummy",
"convention",
"hello"
]
}
}
]

Results sample format:

"rules": [
{
"id": "sf:LeftBracesLinePositions",
"name": "Left Braces Positioning Should Be Consistent",
"shortDescription": {
"text": "Left Braces Positioning Should Be Consistent"
},
"fullDescription": {
"text": "Left Braces Positioning Should Be Consistent"
},
"defaultConfiguration": {
"enabled": true,
"level": "warning"
},
"help": {
"text": "Left Braces Positioning Should Be Consistent [Type: Code Smell, Severity: Minor]"
},
"properties": {
"tags": [
"dummy",
"convention",
"hello"
]
}
}
]