SARIF (Static Analysis Results Interchange Format) is an OASIS Standard that defines an output file format. The SARIF standard is used to streamline how static analysis tools share their results. SARIF is a JSON-based format that is easy to parse. Lots of tools support it, including Visual studio Code or Visual Studio. GitHub also supports this file format to report static analysis results. You can upload a SARIF file to GitHub and view the results in the security tab. For more information, see Uploading a SARIF file to GitHub
Many tools can output SARIF files, including the .NET SDK, ESLint. In the case of .NET, the file generated by the compiler contains the result of compiler errors and warnings, and also the result of Roslyn analyzers.
A SARIF file is easy to output from a .NET project. You can use the ErrorLog property in the project file to specify the name of the SARIF file. First, create a new console project:
dotnet new console --name SarifExample
Then, update the csproj file to include the ErrorLog property:
SarifExample.csproj (csproj (MSBuild project file))
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net9.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<ErrorLog>example.sarif,version=2.1</ErrorLog>
</PropertyGroup>
</Project>
Now, when you build the project, a SARIF file will be created. You can use the dotnet build command to create the SARIF file:
Shell
dotnet build
Do you have a question or a suggestion about this post? Contact me!
