Skip to main content

Export Findings and Usage of Reporting Tools

CI Fuzz allows to export Findings into other formats so they can easily be integrated into your workflow.

SARIF

SARIF (Static Analysis Results Interchange Format) is an open standard and allows reporting tools to generate code scanning reports.

Github actions can use SARIF reports to show and warn about Findings and allow users to review and asses Findings.

CI Fuzz can generate SARIF reports with the following command:

cifuzz findings --format=sarif

The command will print the Findings in SARIF format on the console:

{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "cifuzz",

Setup Github Actions for SARIF Reports ("Code Scanning")

In order to use SARIF reports in Github, "Code Scanning" must be enabled. This is enabled by default on public projects. For private projects an Advanced Security license is needed.

The following github action shows an example of how the SARIF data can be imported into the project to be accessible via the "Code Scanning" overview:

name: "Upload SARIF"

on:
  # Run workflow everytime code is pushed to your repository
  push:

  # Run workflow on a schedule every Thursday at 15:45 UTC
  schedule:
    - cron: '45 15 * * 4'

  # Allow workflow to be started manually
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      # Required for all code scanning workflows
      security-events: write

      # only required for code scanning workflows in private repositories
      actions: read
      contents: read

    steps:
      # Checks out a copy of your repository.
      - name: Checkout repository
        uses: actions/checkout@v4

      # Generate SARIF report here
      # e.g. with `cifuzz findings --format=sarif > report.sarif`

      # Upload SARIF file to Github
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

          # Optional category for the results
          # Used to differentiate multiple results for one commit
          category: my-analysis-tool

VEX (Vulnerability Exploitability eXchange)

VEX is a developing standard by the American Cyber Defence Agency CISA that defines the assessment of potential vulnerabilities in a software product. Four documents define the standards: Use cases, when to issue VEX information, minimal requirements, and VEX status justification.

Two formats are defined for VEX documents: