{"id":24905890,"url":"https://github.com/microsoft/sarif-tutorials","last_synced_at":"2025-04-07T11:06:21.768Z","repository":{"id":40689201,"uuid":"214499280","full_name":"microsoft/sarif-tutorials","owner":"microsoft","description":"User-friendly documentation for the SARIF file format.","archived":false,"fork":false,"pushed_at":"2023-12-15T13:54:50.000Z","size":206,"stargazers_count":293,"open_issues_count":18,"forks_count":56,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-03-30T21:39:04.879Z","etag":null,"topics":["sarif","static-analysis","tutorial"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-11T17:57:19.000Z","updated_at":"2025-02-26T19:56:11.000Z","dependencies_parsed_at":"2025-02-16T06:10:15.556Z","dependency_job_id":"4460ee63-fae2-4202-bd26-3d52c80b4909","html_url":"https://github.com/microsoft/sarif-tutorials","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsarif-tutorials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsarif-tutorials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsarif-tutorials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fsarif-tutorials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/sarif-tutorials/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247640462,"owners_count":20971557,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sarif","static-analysis","tutorial"],"created_at":"2025-02-02T00:25:52.171Z","updated_at":"2025-04-07T11:06:21.749Z","avatar_url":"https://github.com/microsoft.png","language":null,"readme":"# SARIF Tutorials\n\n## Introduction\n\nSARIF, the Static Analysis Results Interchange Format, defines a standard format for the output of static analysis tools.\nIt is a powerful and sophisticated format suited to the needs of a wide variety of tools.\nFor this reason \u0026mdash; and because the format is defined in a 220-plus page specification written in formal language!\n\u0026mdash; it can be hard to learn SARIF and to figure out what parts of it you need to use.\n\nThese tutorials aim to present SARIF in a more approachable way.\nWe'll start with some background:\nWhy do we need SARIF? Where did it come from? What can it do?\nThen we'll dive into the format, exploring the most basic concepts first, then moving on to more advanced concepts.\n\nThe advanced concepts usually apply to only a subset of SARIF producers and consumers,\nso you don't to read everything.\nJust read the introductory material, then pick and choose the additional topics that interest you.\n\n## Sample files\n\nYou can find the sample files displayed in the tutorials under the `samples` directory.\nThey are all valid SARIF files unless I say otherwise.\n\n## Links to the specification\n\nAt times, the tutorials link to a section of the SARIF specification for more detailed information\nor descriptions of advanced scenarios.\nThese links look like this: [§3.13: sarifLog object](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012434)\nand they point into the\n[HTML version](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html) of the spec.\nThere are also PDF and .docx versions in the [SARIF 2.1.0 CS01](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/)\n(Committee Specification 1) folder on the OASIS web site.\n\nThe specification is definitive (and if we want to get really technical, the .docx version of the specification is\ndefinitive, but let's assume there are no bugs in the PDF or HTML converters).\nIf it seems like something in these tutorials disagrees with the spec,\nlet me know and I'll either fix the tutorials or make sure that a bug is filed against the spec.\n\n## Disclaimer\n\nThe [SARIF specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/)\nis a [Committee Specification](https://www.oasis-open.org/news/announcements/static-analysis-results-interchange-format-sarif-v2-1-0-from-the-sarif-tc-is-an-a)\nfrom [OASIS](https://www.oasis-open.org/).\nBut despite the fact that I'm the co-Editor (with Michael Fanning) and primary wordsmith of the specification,\nthese tutorials are _not_ an OASIS work product or endorsed by OASIS in any way.\nThey represent my personal interpretation and explanation of the standard.\n\n## Status\n\nThese tutorials now contain enough information to give you a solid background in SARIF.\nAs you will see from the \"TODO\" entries in the table of contents, there's much more I'd like to write about.\nBut these are advanced topics that I will address when I have time.\n\nIf you'd like an explanation of a SARIF feature that I haven't covered,\nplease let me know by filing an issue in this repo\n\n## \u003ca id=\"contents\"\u003e\u003c/a\u003eTable of contents\n\n- [Introduction](docs/1-Introduction.md)\n  - [What is SARIF?](docs/1-Introduction.md#what-is-sarif)\n  - [About static analysis tools](docs/1-Introduction.md#tools)\n  - [Why SARIF?](docs/1-Introduction.md#why-sarif)\n  - [A simple example](docs/1-Introduction.md#simple-example)\n  - [The plan for these tutorials](docs/1-Introduction.md#plan)\n- [The basics](docs/2-Basics.md)\n  - [The log file and the object model](docs/2-Basics.md#log-file-and-om)\n  - [Logs and runs](docs/2-Basics.md#logs-runs)\n  - [Tools: driver and extensions](docs/2-Basics.md#tools)\n  - [Property bags](docs/2-Basics.md#property-bags)\n  - [Results](docs/2-Basics.md#results)\n    - [Message](docs/2-Basics.md#message)\n    - [Rule identifier](docs/2-Basics.md#rule-id)\n    - [Level](docs/2-Basics.md#level)\n    - [Locations](docs/2-Basics.md#locations)\n      - [The `locations` array](docs/2-Basics.md#loc-array)\n      - [Physical and logical locations](docs/2-Basics.md#phys-log-loc)\n  - [Artifacts](docs/2-Basics.md#artifacts)\n    - [Defining artifacts](docs/2-Basics.md#defining-artifacts)\n    - [Linking results to artifacts](docs/2-Basics.md#linking-artifacts)\n  - [Rule metadata](docs/2-Basics.md#rule-metadata)\n- [Beyond the basics](docs/3-Beyond-basics.md)\n  - [Related locations](docs/3-Beyond-basics.md#related-locations)\n  - [More about messages](docs/3-Beyond-basics.md#more-about-messages)\n    - [Markdown messages](docs/3-Beyond-basics.md#msg-markdown)\n    - [Messages from metadata](docs/3-Beyond-basics.md#msg-metadata)\n    - [Messages with arguments](docs/3-Beyond-basics.md#msg-args)\n    - [Messages with embedded links](docs/3-Beyond-basics.md#msg-links)\n      - [Links in text and Markdown](docs/3-Beyond-basics.md#msg-links-text-markdown)\n      - [Links to locations](docs/3-Beyond-basics.md#msg-links-location)\n  - [Invocations](docs/3-Beyond-basics.md#invocations)\n  - [Notifications](docs/3-Beyond-basics.md#notifications)\n    - [Tool execution notification and tool configuration notifications](docs/3-Beyond-basics.md#exec-config-notif)\n    - [Notifications _vs._ results](docs/3-Beyond-basics.md#notif-result)\n  - [Taxonomies](docs/3-Beyond-basics.md#taxonomies)\n  - [Code flows](docs/3-Beyond-basics.md#code-flows)\n  - [Automation](docs/3-Beyond-basics.md#automation)\n    - [The `id` and `guid` properties](docs/3-Beyond-basics.md#run-id-and-guid)\n    - [The `correlationGuid` property](docs/3-Beyond-basics.md#run-correlationGuid)\n- Advanced topics\n  - Tool extensions (TODO)\n  - Translations (TODO)\n  - Handling large files (TODO)\n  - Result matching (TODO)\n  - The `sarif:` URI scheme (TODO)\n- Appendices\n  - [Fitness for purpose: An overview](docs/Fitness-for-purpose-overview.md)\n  - [Fitness for purpose: Automatic bug filing](docs/Fitness-for-purpose-automatic-bug-filing.md)\n  - [Authoring rule metadata and result messages](docs/Authoring-rule-metadata-and-result-messages.md)\n  - [Displaying results in a viewer](docs/Displaying-results-in-a-viewer.md)\n  - [The SARIF Multitool](docs/Multitool.md)\n  - The history of SARIF (TODO)\n  - [Glossary](docs/Glossary.md)\n  - [Resources](docs/Resources.md)\n\n## Contributing\n\nThis project welcomes contributions and suggestions.  Most contributions require you to agree to a\nContributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us\nthe rights to use your contribution. For details, visit \u003chttps://cla.opensource.microsoft.com.\u003e\n\nWhen you submit a pull request, a CLA bot will automatically determine whether you need to provide\na CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions\nprovided by the bot. You will only need to do this once across all repos using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or\ncontact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n\n## Legal Notices\n\nMicrosoft and any contributors grant you a license to the Microsoft documentation and other content\nin this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode),\nsee the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the\n[MIT License](https://opensource.org/licenses/MIT), see the\n[LICENSE-CODE](LICENSE-CODE) file.\n\nMicrosoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation\nmay be either trademarks or registered trademarks of Microsoft in the United States and/or other countries.\nThe licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.\nMicrosoft's general trademark guidelines can be found at \u003chttp://go.microsoft.com/fwlink/?LinkID=254653.\u003e\n\nPrivacy information can be found at \u003chttps://privacy.microsoft.com/en-us/\u003e\n\nMicrosoft and any contributors reserve all other rights, whether under their respective copyrights, patents,\nor trademarks, whether by implication, estoppel or otherwise.\n","funding_links":[],"categories":["Others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fsarif-tutorials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2Fsarif-tutorials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fsarif-tutorials/lists"}