shellcheck-sarif
This crate provides a command line tool to convert shellcheck diagnostic output into SARIF.
The latest documentation can be found here.
shellcheck is a popular linter / static analysis tool for shell scripts. More information can be found on the official repository: https://github.com/koalaman/shellcheck
SARIF or the Static Analysis Results Interchange Format is an industry standard format for the output of static analysis tools. More information can be found on the official website: https://sarifweb.azurewebsites.net/.
Installation
shellcheck-sarif may be installed via cargo
cargo install shellcheck-sarif via cargo-binstall
cargo binstall shellcheck-sarif or downloaded directly from Github Releases
# make sure to adjust the target and version (you may also want to pin to a specific version) curl -sSL https://github.com/psastras/sarif-rs/releases/download/shellcheck-sarif-v0.8.0/shellcheck-sarif-x86_64-unknown-linux-gnu -o shellcheck-sarif Fedora Linux
sudo dnf install <cli_name> # ex. cargo binstall shellcheck-sarif Nix
Through the nix cli,
nix --accept-flake-config profile install github:psastras/sarif-rs#shellcheck-sarif Usage
For most cases, simply run shellcheck with json output and pipe the results into shellcheck-sarif.
Example
shellcheck -f json shellscript.sh | shellcheck-sarif If you are using Github Actions, SARIF is useful for integrating with Github Advanced Security (GHAS), which can show code alerts in the "Security" tab of your repository.
After uploading shellcheck-sarif output to Github, shellcheck diagnostics are available in GHAS.
Example
on: workflow_run: workflows: branches: types: name: sarif jobs: upload-sarif: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/main' }} steps: - uses: actions/checkout@v2 - uses: actions-rs/toolchain@v1 with: profile: minimal toolchain: stable override: true - uses: Swatinem/rust-cache@v1 - run: cargo install shellcheck-sarif sarif-fmt - run: shellcheck -f json shellscript.sh | shellcheck-sarif | tee results.sarif | sarif-fmt - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: sarif_file: results.sarif License: MIT