sarif-tools
SARIF Tools
Microsoft's sarif-tools — a Python CLI and library for working with SARIF (Static Analysis Results Interchange Format) files.
Installation
# pip
pip install sarif-tools
# pipx (recommended — isolated environment)
pipx install sarif-tools
# Verify
sarif --version
If sarif is not on PATH after install, use python -m sarif instead.
Commands
| Command | Purpose |
|---|---|
summary |
Text summary with issue counts by severity and tool |
csv |
Export issues to CSV for spreadsheet analysis |
html |
Generate HTML report for browser viewing |
word |
Generate MS Word (.docx) summary report |
diff |
Compare two sets of SARIF files (new vs old findings) |
copy |
Merge/filter SARIF files into a single consolidated file |
blame |
Augment SARIF with git blame info (who last modified each line) |
codeclimate |
Convert to Code Climate JSON for GitLab Code Quality reports |
info |
Print structural information about SARIF files |
ls |
List all SARIF files in a directory |
trend |
Generate CSV time series from timestamped SARIF files |
emacs |
Output in emacs-compatible format |
Usage Examples
Summarize Findings
# Summary of a single file
sarif summary scan-results.sarif
# Summary of all SARIF files in a directory
sarif summary ./sarif-output/
Output shows counts by severity (error, warning, note) grouped by tool and rule.
Consolidate Multiple SARIF Files
# Merge all SARIF files into one
sarif copy -o consolidated.sarif ./sarif-output/
# Merge with timestamp in filename (for trend tracking)
sarif copy -o consolidated.sarif --timestamp ./sarif-output/
Export to CSV
# Basic CSV export
sarif csv -o findings.csv ./sarif-output/
# Strip common path prefix for cleaner output
sarif csv --autotrim -o findings.csv ./sarif-output/
# Strip specific prefix
sarif csv --trim /home/user/project -o findings.csv ./sarif-output/
CSV includes columns: severity, rule ID, message, file, line. If blame info is present, includes author.
Generate HTML Report
sarif html -o report.html ./sarif-output/
Generate Word Report
sarif word -o report.docx ./sarif-output/
Diff Between Builds
# Compare old vs new scan results
sarif diff ./old-sarif/ ./new-sarif/
# Output diff to JSON file
sarif diff -o diff-report.json ./old-sarif/ ./new-sarif/
# Exit with error if new issues at warning level or above
sarif diff --check warning ./old-sarif/ ./new-sarif/
Add Git Blame Information
# Augment SARIF with blame info (run from git repo root)
sarif blame -o ./blamed-sarif/ ./sarif-output/
# Specify git repo path explicitly
sarif blame -o ./blamed-sarif/ -c /path/to/repo ./sarif-output/
Adds author, commit, timestamp to each finding's property bag. Enables author-based filtering and CSV author column.
Code Climate for GitLab
# Generate Code Climate JSON for GitLab merge request UI
sarif codeclimate -o codeclimate.json ./sarif-output/
Publish as a Code Quality artifact in GitLab CI pipeline.
Filtering
After running sarif blame, use filter files to include/exclude findings by author, date, or other blame properties:
# Apply filter to CSV export
sarif csv --filter my-filter.yaml -o filtered.csv ./blamed-sarif/
# Apply filter to copy (consolidated output)
sarif copy --filter my-filter.yaml -o filtered.sarif ./blamed-sarif/
Filter file format (YAML):
# Include only findings from specific authors
include:
author:
- "developer@company.com"
# Exclude findings from specific authors
exclude:
author:
- "bot@company.com"
CI/CD Integration
# Exit with error code if any error-level findings exist
sarif --check error summary ./sarif-output/
# Exit with error code if any warning-or-above findings exist
sarif --check warning summary ./sarif-output/
# Check for regressions between builds
sarif diff --check warning ./baseline-sarif/ ./current-sarif/
File Discovery
# List all SARIF files in a directory tree
sarif ls ./project-output/
# Get structural info about SARIF files
sarif info ./sarif-output/
Trend Analysis
# Generate CSV time series from timestamped SARIF files
# Files must have timestamps in filenames: myapp_tool_20260212T120000Z.sarif
sarif trend -o trend.csv ./sarif-history/
SARIF Format Notes
SARIF v2.1.0 is the standard format. Key fields used by sarif-tools:
- Severity levels:
error,warning,note,none - Result fields:
ruleId,message,level,locations,codeFlows - Location:
physicalLocation.artifactLocation.uri+region.startLine
Different tools map their severity levels differently. sarif-tools handles common variations, but some tools may need preprocessing for best results.
Glob Patterns
All commands accept glob patterns for input:
# Process all devskim SARIF files recursively
sarif summary "./output/**/devskim*.sarif"
Python Library Usage
from sarif import loader
# Load SARIF files
sarif_files = loader.loader("./sarif-output/")
# Access results programmatically
for run in sarif_files:
for result in run.get_results():
print(result.get("ruleId"), result.get("level"))
References
- Repository: https://github.com/microsoft/sarif-tools
- PyPI: https://pypi.org/project/sarif-tools/
- SARIF Standard: https://sarifweb.azurewebsites.net/
- SARIF Spec (OASIS): https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
More from igbuend/grimbard
tikz
LaTeX TikZ/PGF package for programmatic vector graphics and diagrams. Use when helping users draw flowcharts, trees, graphs, automata, circuits, geometric figures, or any custom diagram in LaTeX.
91latex
Comprehensive LaTeX reference for document creation, formatting, mathematics, tables, figures, bibliographies, and compilation. Use when helping users write, edit, debug, or compile LaTeX documents.
37pgfplots
LaTeX pgfplots package for data visualization and plotting. Use when helping users create line plots, bar charts, scatter plots, histograms, 3D surfaces, or any scientific/data plot in LaTeX.
31ethical-hacking-ethics
Legal and ethical guidelines for bug bounties, pentesting, and security research. Use when conducting authorized security testing.
12weak-encryption-anti-pattern
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
11amsmath
LaTeX amsmath/amssymb/mathtools packages for mathematical typesetting. Use when helping users write equations, align math, use mathematical symbols, matrices, theorems, or any advanced math formatting.
10