GitHub Shifts Left on Security with Its SARIF Compatibility
Rebecca Jacobs posted this on October 5, 2020
SARIF stands for Static Analysis Results Interchange Format. In 2018, SARIF was announced as an OASIS standard when it comes to detecting software vulnerabilities. Since, governments and large corporations like Microsoft have been on-board with SARIF as an extra measure of visibility for its users leveraging static code analysis.
As the home of open source, and with more than 50 million users, GitHub has taken the initiative to boost its security capabilities with the recent launch of its code scanning feature. Built for open source and enterprise developers, code scanning is based on the code analysis capabilities of CodeQL and is compatible with SARIF, allowing developers to seamlessly scan their work on the GitHub platform.
CodeScan’s New Action
Built on the SARIF standard, GitHub is extensible so users can integrate with third-party solutions, such as CodeScan. For GitHub users also on the Salesforce platform, CodeScan now has a new Action on the GitHub marketplace. Called the CodeScan Scanner, this Action allows developers to get more feedback on their GitHub pull requests. Integrated directly into the GitHub workflow, CodeScan provides results directly on the platform. No new windows, tabs, or logins are necessary.
Productivity, Security, and Quality
What does this SARIF functionality mean in the grand scheme of it all? SARIF opens the door to greater security measures on the GitHub platform. Developers are now empowered with access to their static analysis results earlier, improving their productivity and efficiency.
Instead of wasting time in the QA development loop, whether you’re using CodeScan’s Scanner or GitHub’s CodeQL, development teams can leverage their static analysis results in SARIF format to view their results on the GitHub platform. This visibility in this early stage of coding is aligned with the shift left trend. As companies produce products quicker, teams have been shifting towards agile development methods, looking for ways to optimize productivity and create cleaner products, while reducing bottlenecks in their pipelines. The SARIF compatibility on GitHub will open doors for developers to do so.