Lib.rs

Command line utilities
#cli #sarif #miri

app miri-sarif

Convert miri output to SARIF

by Paul Sastrasinh, Florian Gebhardt and 16 contributors

1 unstable release

new 0.8.0 May 9, 2025

#7 in #sarif

MIT license

56KB
1K SLoC

Workflow Status

miri-sarif

This crate provides a command line tool to convert cargo miri diagnostic output into SARIF.

The latest documentation can be found here.

Miri is an undefined behavior detection tool for rust. More information can be found on the official repository: https://github.com/rust-lang/miri

SARIF or the Static Analysis Results Interchange Format is an industry standard format for the output of static analysis tools. More information can be found on the official website: https://sarifweb.azurewebsites.net/.

Installation

miri-sarif may be installed via cargo

cargo install miri-sarif

via cargo-binstall

cargo binstall miri-sarif

or downloaded directly from Github Releases

# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sarif-rs/releases/download/miri-sarif-v0.8.0/miri-sarif-x86_64-unknown-linux-gnu -o miri-sarif

Fedora Linux

sudo dnf install <cli_name> # ex. cargo binstall miri-sarif

Nix

Through the nix cli,

nix --accept-flake-config profile install github:psastras/sarif-rs#miri-sarif

Usage

For miri to output machine readable data you need to pass --error-format=json in the MIRIFLAGS environment variable.

cargo miri test & cargo miri run

Because the relevant miri output is printed to stderr you will need to redirect stderr to stdout and stdout to /dev/null.

Example

MIRIFLAGS="--error-format=json" cargo miri test 2>&1 1>/dev/null | miri-sarif

cargo miri nextest

Since nextest only outputs to stderr, you don't need to redirect stdout to /dev/null.
But you should use --success-output immediate to also capture warnings produced by miri.
Additionally you can use --no-fail-fast for miri to run all tests and not stop on the first failure.

Example

MIRIFLAGS="--error-format=json" cargo miri nextest --no-fail-fast --success-output immediate 2>&1 | miri-sarif

Github Actions

If you are using Github Actions, SARIF is useful for integrating with Github Advanced Security (GHAS), which can show code alerts in the "Security" tab of your repository.

After uploading miri-sarif output to Github, miri diagnostics are available in GHAS.

Example

on:
  workflow_run:
    workflows: ["main"]
    branches: [main]
    types: [completed]

name: sarif

jobs:
  upload-sarif:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
      - uses: actions/checkout@v2
      - uses: actions-rs/toolchain@v1
        with:
          profile: minimal
          toolchain: nightly
          components: miri
          override: true
      - uses: Swatinem/rust-cache@v1
      - run: cargo install miri-sarif sarif-fmt cargo-nextest
      - run: MIRIFLAGS="--error-format=json" cargo miri nextest run --no-fail-fast --success-output immediate 2>&1 |
          miri-sarif | tee results.sarif | sarif-fmt
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

In some cases, the path to the file contained in the SARIF report may be different than what is expected. This can happen for example if running miri-sarif from a different folder than the crate folder. In this case consider using a tool like jq to amend to path:

Example

cat results.sarif \
    | jq --arg pwd "some_folder/my_crate" '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= $pwd + "/" + .' \
    > results.sarif.tmp

Note that this maybe be fixed in a future release.

License: MIT

Dependencies

~4–6MB
~110K SLoC