Ingest SARIF scan results

Static Analysis Results Interchange Format (SARIF) is an open data format supported by many scan tools, especially tools available as GitHub Actions. You can easily ingest SARIF 2.1.0 data from any tool that supports this format.

Important notes

• This workflow is intended for scanners that have no supported integration in STO. Harness recommends that you always use the documented workflow for supported scanners. For a list of all STO-supported scanners, go to What's supported and click Harness STO scanner support to expand.

• Harness STO also supports an STO Custom JSON format for unsupported scanners that can't publish to SARIF. For more information, go to Ingest Results from Unsupported Scanners.

Ingestion workflow description

The following workflow describes how to set up an ingestion pipeline for any scanner that supports SARIF.

1. In your Harness pipeline, go to the Overview tab of the security stage and enter a shared path such as /shared/customer_artifacts.

   

2. Publish your scan results to a data file in SARIF 2.1.0 format.

   You might want to set up a Run step to generate your scans automatically whenever the pipeline runs.

3. Copy the SARIF file to the /shared/customer_artifacts folder.

4. Add an ingestion step after the Run step and configure it as follows.

   • If you're using a scanner that has a scanner template, use the scanner template to ingest your results. Set the Scan Mode to Ingestion and configure the step as described in the STO Scanner Reference topic for that step.

   • If you're using a scanner that does not have a scanner template, use a Custom Ingest step.

Here's an example of how to configure a Gitleaks step to ingest a SARIF data file:

- step:
   type: Gitleaks
   name: gitleaks
   identifier: gitleaks
   spec:
      mode: ingestion
      config: default
      target:
         name: nodegoat
         type: repository
         variant: dev
      advanced:
         log:
         level: debug
      ingestion:
         file: /path/of/file.sarif
   description: gitleaks step

Example workflows for ingesting SARIF scan results

The following topics describe end-to-end example pipelines for ingesting SARIF data:

• Custom Ingest settings reference

• Gitleaks Scanner Reference

• Example workflow: Ingest SARIF data from a Checkmarx GitHub Action scan

• Run scans using GitHub Action and Drone Plugin steps