The static analysis model supports the following report formats.
If your tool is not yet supported, you can
- export the issues of your tool to the native XML or JSON format (or any other format).
- provide a pull request with a new parser.
If your tool is supported, but some properties are missing (icon, URL, etc.), please file a pull request.
| ID | Icons | Name | Default Pattern |
|---|---|---|---|
| acu-cobol | - | AcuCobol | - |
| gnat | - | Ada Compiler (gnat) | - |
| android-lint | - | Android Lint | - |
| 💡 Use the flag -p. | |||
| ansible-later |
|
Ansible Later | - |
| 💡 Use -p flag. | |||
| ansiblelint |
|
Ansible Lint | - |
| 💡 Use the flag -p. | |||
| scannercli |
|
Aqua Scanner | - |
💡 Use commandline scannercli scan 'image' --jsonfile results.json, see Aqua Scanner CLI for usage details.
|
|||
| trivy |
|
Aquasec Trivy | - |
💡 Use commandline trivy image -f json -o results.json 'image', see tivy on Github for usage details. Supported scanners: |
|||
| armcc | - | Armcc Compiler | - |
| aspectj | - | AspectJ | - |
| bandit |
|
Bandit | - |
| bluepearl | - | Blue Pearl Visual Verification Suite | - |
| brakeman | - | Brakeman | **/brakeman-output.json |
💡 Reads Brakeman JSON reports. Use commandline brakeman -o brakeman-output.json output.See Brakeman documentation for usage details. |
|||
| buckminster | - | Buckminster | - |
| ccm | - | CCM | - |
| cfn-lint | - | CFN-Lint | **/cfn-lint-report.json |
💡 Use commandline cfn-lint --format json to generate JSON output.See cfn-lint on GitHub for usage details. |
|||
| cfn-nag | - | CFN-Nag | **/cfn-nag-report.json |
💡 Use commandline cfn_nag_scan --input-path. --output-format json to generate JSON output.See cfn_nag on GitHub for usage details. |
|||
| cmake |
|
CMake | - |
| cpd | - | CPD | **/cpd.xml |
| cppcheck | - | CPPCheck | - |
| 💡 Use options --xml --xml-version=2 | |||
| csslint | - | CSS-Lint | - |
| cadence | - | Cadence Incisive | - |
| cargo | - | Cargo Check | - |
💡 Use commandline cargo check --message-format json
|
|||
| clippy | - | Cargo Clippy | - |
| checkstyle |
|
CheckStyle | **/checkstyle-result.xml |
| checkov | - | Checkov | **/checkov-report.json |
💡 Use commandline checkov --output json --output-file-path checkov-report.json to generate JSON output.See Checkov documentation for usage details. |
|||
| clair | - | Clair Scanner | - |
💡 Reads Clair json data. Use commandline clair-scanner --report="/target/clair.json" output.See clair-scanner on Github for usage details. |
|||
| clang | - | Clang (LLVM based) | - |
| clang-analyzer | - | Clang Analyzer | - |
| 💡 Use options --analyze --analyzer-output plist-multi-file | |||
| clang-tidy | - | Clang-Tidy | - |
| code-analysis | - | Code Analysis | - |
| code-climate | - | Code Climate | - |
| code-generator | - | Code Generator Tool | - |
| code-checker | - | CodeChecker | - |
| codenarc | - | CodeNarc | - |
| coolflux | - | Coolflux DSP Compiler | - |
| coverity | - | Coverity Scan | - |
| cpplint | - | Cpplint | - |
💡 You need to use the Eclipse format with the option --output=eclipse
|
|||
| crosscore-embedded-studio | - | CrossCore Embedded Studio (CCES) | - |
| dscanner | - | DScanner | **/dscanner-report.json |
| dart | - | Dart Analyze | - |
| detekt | - | Detekt | - |
| 💡 Use option --output-format xml. | |||
| docfx | - | DocFX | - |
| dockerlint | - | Dockerfile Lint | - |
💡 Use commandline dockerfile_lint -j output.See dockerfile_lint on Github for usage details. |
|||
| doxygen |
|
Doxygen | - |
💡 Execute doxygen:As shell command ( cat Doxyfile; echo WARN_FORMAT='$file:$line: $text' ) | doxygen -As batch command ( type Doxyfile & echo WARN_FORMAT='$file:$line: $text' ) | doxygen -
|
|||
| dr-memory | - | Dr. Memory | - |
| eslint |
|
ESLint | - |
💡 Use option --format json (recommend), --format json-with-metadata or --format checkstyle (deprecated).
|
|||
| eclipse | - | Eclipse ECJ | - |
|
💡 Create an output file that contains Eclipse ECJ output, in either XML or text format. To log in XML format, specify ".xml" as the file extension to the -log argument:
To log in text format, specify any file extension except ".xml" to the -log argument:
|
|||
| embedded-engineer | - | Embedded Engineer Tool | - |
| erlc | - | Erlang Compiler (erlc) | - |
| error-prone | - | Error Prone | - |
| findbugs | - | FindBugs | **/findbugsXml.xml |
| flake8 | - | Flake8 | - |
|
💡 Run flake8 as |
|||
| flawfinder | - | FlawFinder | - |
💡 Use commandline flawfinder -S.
|
|||
| flex | - | Flex SDK Compiler | - |
| flow |
|
Flow | - |
| foodcritic |
|
Foodcritic | - |
| fxcop | - | FxCop | - |
| ghs-multi | - | GHS Multi Compiler | - |
| gcc | - | GNU C Compiler (GCC) | - |
|
💡 Parses warnings and errors generated by GCC version 4 and newer (including GCC 5–15+). Use this parser for modern GCC compilers that output messages in the standard format like:
For very old GCC versions (pre-GCC 4), use the 'gcc3' parser instead. |
|||
| gcc3 | - | GNU C Compiler (Legacy, pre-GCC 4) | - |
|
💡 Parses warnings and errors from legacy GCC compilers (versions older than GCC 4). This parser uses an older, simpler warning format. For modern GCC versions (GCC 4 and newer, including GCC 5–15), use the 'gcc' parser instead, which supports the newer format with additional context like:
|
|||
| fortran | - | GNU Fortran Compiler | - |
| gendarme | - | Gendarme | - |
| golint | - | Go Lint | - |
| go-vet | - | Go Vet | - |
| grype |
|
Grype | **/grype-report.json |
| hadolint | - | HadoLint | - |
💡 Use commandline hadolint --format json Dockerfile output.See hadolint on Github for usage details. |
|||
| iar-cstat | - | IAR C-STAT | - |
|
💡 The IAR C-STAT static analysis tool finds potential issues in code by doing an analysis on the source code level. Use the following icstat command to generate the output on stdout in the correct format: |
|||
| iar | - | IAR Compiler (C/C++) | - |
| 💡 The IAR compilers need to be started with option --no_wrap_diagnostics. Then the IAR compilers will create single-line warnings. | |||
| xlc | - | IBM XLC Compiler | - |
| iblinter | - | IbLinter | - |
| 💡 Use configuration reporter: \”checkstyle\”. | |||
| infer |
|
Infer | - |
| 💡 Use option --pmd-xml. | |||
| intel | - | Intel Compiler (C, Fortran) | - |
| idea | - | IntelliJ IDEA Inspections | - |
| jc-report | - | JCReport | - |
| jslint | - | JSLint | - |
| junit | - | JUnit | - |
| java | - | Java Compiler | - |
| javadoc-warnings | - | JavaDoc | - |
| js-hint | - | JsHint | - |
| klocwork | - | Klocwork | - |
| kotlin | - | Kotlin | - |
| ktlint | - | KtLint | - |
| 💡 Use option --reporter=checkstyle. | |||
| kube-linter | - | KubeLinter | **/kube-linter.json |
💡 Use commandline kube-linter lint --format json --output kube-linter.json output.See KubeLinter on GitHub for usage details. |
|||
| kube-score | - | KubeScore | **/kube-score.json |
💡 Use commandline kube-score score -o json > kube-score.json output.See kube-score on GitHub for usage details. |
|||
| kubesec | - | Kubesec | **/kubesec.json |
💡 Use commandline kubesec scan -f deployment.yaml -o json > kubesec.json output.See Kubesec for usage details. |
|||
| msbuild | - | MSBuild | - |
| markdownlint | - | MarkdownLint | - |
💡 Use commandline markdownlint-cli2 --json output.See markdownlint on GitHub for usage details. |
|||
| maven-warnings | - | Maven | - |
| taglist | - | Maven Taglist Plugin | **/taglist.xml |
| modelsim | - | Mentor Graphics Modelsim/Questa Simulators | - |
| metrowerks | - | Metrowerks CodeWarrior Compiler | - |
|
💡 Ensure that the output from the CodeWarrior build tools is in the expected format. If there are warnings present, but they are not found, then it is likely that the format is incorrect. The mwccarm compiler and mwldarm linker tools may support a configurable message style. This can be used to enforce the expected output format, which may be different from Metrowerks CodeWarrior (and thus require a different tool). For example the following could be appended to the build flags:
|
|||
| mypy | - | MyPy | - |
| nag-fortran | - | NAG Fortran Compiler | - |
| native | - | Native Analysis Model Format | - |
|
💡 Create an output file that contains issues in the native analysis-model format, in either XML or JSON. The parser is even capable of reading individual lines of a log file that contains issues in JSON format. |
|||
| nix |
|
Nix | - |
| ot-docker-linter | - | OT Docker Linter | - |
💡 Use commandline ot-docker-linter audit --docker.file Dockerfile -o json output.See ot-docker-linter on Github for usage details. |
|||
| owasp-dependency-check |
|
OWASP Dependency Check | **/dependency-check-report.json |
| invalids | - | Oracle Invalids | - |
| pclint | - | PC-Lint Tool | - |
|
💡 Use the following PC-Lint properties to create an output file in the correct format: |
|||
| pep8 | - | PEP8 | - |
| php | - | PHP Runtime | - |
| phpstan | - | PHPStan | - |
| 💡 Use the options: --no-progress --error-format checkstyle | |||
| php-code-sniffer | - | PHP_CodeSniffer | - |
| 💡 Use option --report=checkstyle. | |||
| pit |
|
PIT | **/mutations.xml |
| pmd |
|
PMD | **/pmd.xml |
| prefast | - | PREfast | - |
| pvs-studio | - | PVS-Studio | **/*.plog |
| perforce | - | Perforce Compiler | - |
| perl-critic | - | Perl::Critic | - |
| phan | - | Phan | **/phan-report.json |
💡 Use phan --output-mode json > phan-report.json to generate JSON output.See Phan on GitHub for usage details. See Phan documentation for usage details. |
|||
| polyspace-parser | - | Polyspace Tool | - |
|
💡 Reads reports of Polyspace Static Analysis Tool by MathWorks. Used for BugFinder and CodeProver result files. Report can be generated with command: polyspace-results-export -format csv -results-dir -output-name -key |
|||
| protolint | - | ProtoLint | - |
💡 Use protolint with options -reporter=json -output_file=protolint-report.json, see protoLint CLI options for usage details.
|
|||
| psalm | - | Psalm | **/psalm-report.json |
💡 Use commandline psalm --output-format=json > psalm-report.json to generate JSON output. See Psalm on GitHub for usage details.
|
|||
| puppetlint | - | Puppet Lint | - |
💡 You will need a recent enough version that supports --log-format flag. When running puppet-lint, make sure you use the log format %{path}:%{line}:%{check}:%{KIND}:%{message}. Complete example: find. -iname *.pp -exec puppet-lint --log-format "%{path}:%{line}:%{check}:%{KIND}:%{message}" {} \;
|
|||
| pydocstyle | - | PyDocStyle | - |
| pylint | - | Pylint | - |
|
💡 Start Pylint using this custom message template (can also be configured via a pylintrc configuration file):
|
|||
| qac | - | QA-C Sourcecode Analyser | - |
| qt-translation | - | Qt translations | - |
| 💡 Reads translation files of Qt, which are created by "lupdate" or "Linguist". | |||
| dupfinder | - | Resharper DupFinder | - |
| resharper | - | Resharper Inspections | - |
| revapi | - | Revapi | **/target/revapi-result.json |
| robocopy | - | Robocopy | - |
| rflint | - | Robot Framework Lint | - |
| rubocop | - | Rubocop | - |
💡 Use commandline rubocop --format progress.
|
|||
| ruff |
|
Ruff | - |
💡 Use commandline ruff check --output-format=json to generate the JSON report.See Ruff Documentation for usage details. |
|||
| sarif | - | SARIF | - |
| sunc | - | SUN C++ Compiler | - |
| scala | - | Scala Compiler | - |
| semgrep |
|
Semgrep | - |
💡 Use --json
|
|||
| shellcheck | - | ShellCheck | **/shellcheck.json |
💡 Use commandline shellcheck -f json script.sh to generate the JSON report.See ShellCheck Documentation for usage details. |
|||
| simian | - | Simian | - |
| simulink-check-parser | - | Simulink Check Tool | - |
💡 Reads and Parses HTML reports of Simulink Check Tool by MathWorks. Report can be generated with command: ModelAdvisor.summaryReport(ModelAdvisor.run(, , , ))
|
|||
| snyk |
|
Snyk | **/snyk-report.json |
| sonar | - | SonarQube Issues | **/sonar-report.json |
| spectral | - | Spectral | **/spectral-report.json |
💡 Use commandline spectral lint api.yaml --format json to generate JSON output.See Spectral on GitHub for usage details. |
|||
| sphinx | - | Sphinx Build | - |
| spotbugs |
|
SpotBugs | **/spotbugsXml.xml |
| staticcheck | - | Staticcheck | **/staticcheck-report.json |
💡 Use commandline staticcheck -f json./... > staticcheck-report.json to generate JSON output.See Staticcheck on GitHub for usage details. |
|||
| stylecop | - | StyleCop | - |
| stylelint |
|
Stylelint | - |
|
💡 Use For checkstyle format install stylelint-checkstyle-reporter. |
|||
| swiftlint | - | SwiftLint | - |
| 💡 Use configuration reporter: \”checkstyle\”. | |||
| tasking-vx | - | TASKING VX Compiler | - |
| tnsdl | - | TNSDL Translator | - |
| tslint | - | TSLint | - |
| 💡 Use option --format checkstyle. | |||
| tflint | - | Terraform Lint | **/tflint-report.json |
💡 Use commandline tflint --format json to generate JSON output.See tflint on GitHub for usage details. |
|||
| code-composer | - | Texas Instruments Code Composer Studio | - |
| vale | - | Vale | **/vale-report.json |
| 💡 Reads vale report files. Use the flag --output=JSON | |||
| valgrind |
|
Valgrind | - |
💡 Use options --xml=yes --xml-file=valgrind_report.xml --child-silent-after-fork=yes, see the Valgrind User Manual for usage details.
|
|||
| veracode-pipeline-scanner |
|
Veracode Pipeline Scanner | - |
💡 Use commandline java -jar pipeline-scan.jar --json_output=true --json_output_file=results.json, see Veracode Pipeline Scanner for usage details.
|
|||
| diabc | - | Wind River Diab Compiler (C/C++) | - |
| xmllint | - | XML-Lint | - |
| yui | - | YUI Compressor | - |
| yamllint | - | YamlLint | - |
| 💡 Use option -f parsable. | |||
| yoctocli |
|
Yocto Scanner | - |
💡 Use commandline bitbake <your product image>, add INHERIT += "cve-check" in your local.conf Yocto Scanner for usage details.
|
|||
| zptlint | - | ZPT-Lint | - |
| golangci-lint | - | golangci-lint | **/golangci-lint-report.json |
💡 Use commandline golangci-lint run --output.json.path=golangci-lint-report.json to generate JSON output.See golangci-lint on GitHub for usage details. |
|||
| npm-audit | - | npm Audit | - |
💡 Use commandline npm audit --json > npm-audit.json, see npm audit for usage details.
|
|||
| oelint-adv | - | oelint-adv | - |
| pnpm-audit |
|
pnpm Audit | - |
💡 Use commandline pnpm audit --json > pnpm-audit.json, see pnpm audit for usage details.
|
|||
| tfsec | - | tfsec | **/tfsec-report.json |
💡 Use commandline tfsec. -f json -o tfsec-report.json to generate JSON output.See tfsec documentation for usage details. |
|||