Lib.rs

Command line utilities
#shell #sarif #static-analysis #command-line-tool #cli #shellcheck

app shellcheck-sarif

Convert shellcheck output to SARIF

by Paul Sastrasinh and 9 contributors

22 releases

0.4.2 Sep 7, 2023
0.4.1 Jul 30, 2023
0.4.0 Jun 21, 2023
0.3.7 Feb 28, 2023
0.2.15 Jul 6, 2021

#276 in Command line utilities

Download history 468/week @ 2023-12-12 151/week @ 2023-12-19 304/week @ 2023-12-26 349/week @ 2024-01-02 78/week @ 2024-01-09 296/week @ 2024-01-16 310/week @ 2024-01-23 157/week @ 2024-01-30 524/week @ 2024-02-06 192/week @ 2024-02-13 152/week @ 2024-02-20 222/week @ 2024-02-27 307/week @ 2024-03-05 481/week @ 2024-03-12 102/week @ 2024-03-19 143/week @ 2024-03-26

1,045 downloads per month

MIT license

56KB
1K SLoC

Workflow Status

shellcheck-sarif

This crate provides a command line tool to convert shellcheck diagnostic output into SARIF.

The latest documentation can be found here.

shellcheck is a popular linter / static analysis tool for shell scripts. More information can be found on the official repository: https://github.com/koalaman/shellcheck

SARIF or the Static Analysis Results Interchange Format is an industry standard format for the output of static analysis tools. More information can be found on the official website: https://sarifweb.azurewebsites.net/.

Installation

shellcheck-sarif may be installed via cargo

cargo install shellcheck-sarif

via cargo-binstall

cargo binstall shellcheck-sarif

or downloaded directly from Github Releases

# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sarif-rs/releases/download/shellcheck-sarif-latest/shellcheck-sarif-x86_64-unknown-linux-gnu -o shellcheck-sarif

Usage

For most cases, simply run shellcheck with json output and pipe the results into shellcheck-sarif.

Example

shellcheck -f json shellscript.sh | shellcheck-sarif

If you are using Github Actions, SARIF is useful for integrating with Github Advanced Security (GHAS), which can show code alerts in the "Security" tab of your repository.

After uploading shellcheck-sarif output to Github, shellcheck diagnostics are available in GHAS.

Example

on:
  workflow_run:
    workflows: ["main"]
    branches: [main]
    types: [completed]

name: sarif

jobs:
  upload-sarif:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
      - uses: actions/checkout@v2
      - uses: actions-rs/toolchain@v1
        with:
          profile: minimal
          toolchain: stable
          override: true
      - uses: Swatinem/rust-cache@v1
      - run: cargo install shellcheck-sarif sarif-fmt
      - run: shellcheck -f json shellscript.sh | shellcheck-sarif | tee
          results.sarif | sarif-fmt
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif

License: MIT

Dependencies

~4MB
~78K SLoC