feat: add SARIF output format support

Add Static Analysis Results Interchange Format (SARIF) v2.1.0 output support to conftest. SARIF is a standard JSON format for static analysis tools. - SARIF v2.1.0 schema compliance - Includes file locations and rule metadata - Tracks execution timing and status - Test coverage - Documentation Signed-off-by: Ville Vesilehto <[email protected]>
open-policy-agent · Jan 19, 2025 · 1a8cd70 · 1a8cd70
1 parent 5b3e926
commit 1a8cd70
Show file tree

Hide file tree

Showing 6 changed files with 2,027 additions and 2 deletions.
diff --git a/docs/options.md b/docs/options.md
@@ -173,6 +173,7 @@ As of today Conftest supports the following output types:
 - JUnit `--output=junit`
 - GitHub `--output=github`
 - AzureDevOps `--output=azuredevops`
+- SARIF `--output=sarif`
 
 ### Plaintext
 
@@ -322,6 +323,71 @@ success file=examples/kubernetes/deployment.yaml 1
 5 tests, 1 passed, 0 warnings, 4 failures, 0 exceptions
 ```
 
+### SARIF
+
+```console
+$ conftest test --proto-file-dirs examples/textproto/protos -p examples/textproto/policy examples/textproto/fail.textproto -o sarif
+{
+  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "conftest",
+          "informationUri": "https://github.com/open-policy-agent/conftest",
+          "rules": [
+            {
+              "id": "conftest-failure-main-deny",
+              "shortDescription": {
+                "text": "fail: Power level must be over 9000"
+              },
+              "properties": {
+                "namespace": "main",
+                "query": "data.main.deny"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "conftest-failure-main-deny",
+          "ruleIndex": 0,
+          "kind": "fail",
+          "level": "error",
+          "message": {
+            "text": "fail: Power level must be over 9000"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "examples/textproto/fail.textproto"
+                }
+              }
+            }
+          ],
+          "properties": {
+            "namespace": "main",
+            "query": "data.main.deny"
+          }
+        }
+      ],
+      "invocations": [
+        {
+          "executionSuccessful": true,
+          "exitCode": 1,
+          "exitCodeDescription": "Policy violations found",
+          "startTimeUtc": "2025-01-19T13:14:11Z",
+          "endTimeUtc": "2025-01-19T13:14:11Z"
+        }
+      ]
+    }
+  ]
+}
+```
+
 ## `--parser`
 
 Conftest normally detects which parser to used based on the file extension of the file, even when multiple input files are passed in. However, it is possible force a specific parser to be used with the `--parser` flag.

diff --git a/output/output.go b/output/output.go
@@ -34,6 +34,7 @@ const (
 	OutputJUnit       = "junit"
 	OutputGitHub      = "github"
 	OutputAzureDevOps = "azuredevops"
+	OutputSARIF       = "sarif"
 )
 
 // Get returns a type that can render output in the given format.
@@ -57,6 +58,8 @@ func Get(format string, options Options) Outputter {
 		return NewGitHub(options.File)
 	case OutputAzureDevOps:
 		return NewAzureDevOps(options.File)
+	case OutputSARIF:
+		return NewSARIF(options.File)
 	default:
 		return NewStandard(options.File)
 	}
@@ -71,5 +74,6 @@ func Outputs() []string {
 		OutputTable,
 		OutputJUnit,
 		OutputGitHub,
+		OutputSARIF,
 	}
 }
diff --git a/output/output_test.go b/output/output_test.go
@@ -31,6 +31,10 @@ func TestGetOutputter(t *testing.T) {
 			input:    OutputJUnit,
 			expected: NewJUnit(os.Stdout, false),
 		},
+		{
+			input:    OutputSARIF,
+			expected: NewSARIF(os.Stdout),
+		},
 		{
 			input:    "unknown_format",
 			expected: NewStandard(os.Stdout),