Export Findings and Usage of Reporting Tools

You can export Findings with CI Fuzz to integrate them into your workflow.

SARIF

SARIF (Static Analysis Results Interchange Format) is an open standard and allows reporting tools to generate "Code Scanning" reports.

GitHub Actions can use SARIF reports to show and warn about Findings and allow users to review and asses Findings.

Generate SARIF reports with the following command:

cifuzz findings --format=sarif

{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "cifuzz",
          …

You can use the flag --output to specify a path for the report.

Setup GitHub Actions for SARIF reports ("Code Scanning")

SARIF reports in GitHub use the "Code Scanning" feature which is enabled by default on public projects. Private projects need an Advanced Security license.

The following GitHub Action example imports the SARIF data into the project to access it via the "Code Scanning" overview:

name: "Upload SARIF"

on:
  # Run workflow everytime code is pushed to your repository
  push:

  # Run workflow on a schedule every Thursday at 15:45 UTC
  schedule:
    - cron: '45 15 * * 4'

  # Allow workflow to be started manually
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      # Required for all code scanning workflows
      security-events: write

      # only required for code scanning workflows in private repositories
      actions: read
      contents: read

    steps:
      # Checks out a copy of your repository.
      - name: Checkout repository
        uses: actions/checkout@v4

      # Generate SARIF report here
      # e.g. with `cifuzz findings --format=sarif > report.sarif`

      # Upload SARIF file to GitHub
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

          # Optional category for the results
          # Used to differentiate multiple results for one commit
          category: my-analysis-tool

VEX (Vulnerability Exploitability eXchange)

VEX is a developing standard by the American Cyber Defence Agency (CISA) that defines the assessment of potential vulnerabilities in a software product.

Four documents define the standards: Use cases, when to issue VEX information, minimal requirements, and VEX status justification.

Two formats are defined for VEX documents:

• The OASIS Common Security Advisory Framework (CSAF) format
• The CycloneDX VEX format