SARIF

OASIS standard JSON format (currently 2.1.0) for the output of static analysis and security tools. Emitted by CodeQL, Semgrep, LDRA, Polyspace, Coverity, cppcheck, Bandit, and most modern security tools.

Why It Matters

A unified format for tool output means a platform can ingest findings from many tools without writing N parsers. SARIF carries enough metadata (ruleId, severity, source file:line, suppressions) that a downstream audit reader can verify the input without re-running the tool.

How Roboticks Implements It

Static-analysis findings ingested as SARIF land on the Test Run page alongside JUnit results. Suppressions are persisted per (file:line:ruleId, reason) and visible in the audit pack. The bundled OSS tools (cppcheck, clang-tidy, Bandit, Semgrep) emit SARIF natively; BYO commercial tools are itemized add-ons.

Related Terms

Evidence Pack Verification & Validation

SARIF integration

Ingesting LDRA, Polyspace, Coverity, Semgrep, CodeQL

Evidence Pack v2

EU Machinery Regulation 2027

ISO 10218:2025

SARIF

Why It Matters

How Roboticks Implements It

Related Terms

Related Pages

SARIF integration