40 releases
0.6.6 | Sep 2, 2024 |
---|---|
0.6.0 | Jul 30, 2024 |
0.4.2 | Sep 7, 2023 |
0.4.1 | Jul 30, 2023 |
0.2.15 | Jul 6, 2021 |
#16 in Development tools
53,921 downloads per month
57KB
1K
SLoC
clippy-sarif
This crate provides a command line tool to convert cargo clippy
diagnostic
output into SARIF.
The latest documentation can be found here.
clippy is a popular linter / static analysis tool for rust. More information can be found on the official repository: https://github.com/rust-lang/rust-clippy
SARIF or the Static Analysis Results Interchange Format is an industry standard format for the output of static analysis tools. More information can be found on the official website: https://sarifweb.azurewebsites.net/.
Installation
clippy-sarif
may be installed via cargo
cargo install clippy-sarif
via cargo-binstall
cargo binstall clippy-sarif
or downloaded directly from Github Releases
# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sarif-rs/releases/download/clippy-sarif-v0.6.6/clippy-sarif-x86_64-unknown-linux-gnu -o clippy-sarif
Fedora Linux
sudo dnf install <cli_name> # ex. cargo binstall clippy-sarif
Nix
Through the nix
cli,
nix --accept-flake-config profile install github:psastras/sarif-rs#clippy-sarif
Usage
For most cases, simply run cargo clippy
with json
output and pipe the
results into clippy-sarif
.
Example
cargo clippy --message-format=json | clippy-sarif
If you are using Github Actions, SARIF is useful for integrating with Github Advanced Security (GHAS), which can show code alerts in the "Security" tab of your repository.
After uploading clippy-sarif
output to Github, clippy
diagnostics are
available in GHAS.
Example
on:
workflow_run:
workflows: ["main"]
branches: [main]
types: [completed]
name: sarif
jobs:
upload-sarif:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
components: clippy,rustfmt
override: true
- uses: Swatinem/rust-cache@v1
- run: cargo install clippy-sarif sarif-fmt
- run: cargo clippy --all-targets --all-features --message-format=json |
clippy-sarif | tee results.sarif | sarif-fmt
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
In some cases, the path to the file contained in the SARIF report may be different than what is expected. This can happen for example if running clippy-sarif
from a different folder than the crate folder. In this case consider using a tool like jq
to amend to path:
Example
cat results.sarif \
| jq --arg pwd "some_folder/my_crate" '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= $pwd + "/" + .' \
> results.sarif.tmp
Note that this maybe be fixed in a future release.
License: MIT
Dependencies
~4–6.5MB
~113K SLoC