Skip to content

Known Producers and Consumers

Jump to bottom Edit New page
David Malcolm edited this page Dec 9, 2024 · 19 revisions

This page is not an endorsement of any of the following

Known Producers of SARIF

  • ARM Template Best Practice Analyzer is an ARM template validator that scans ARM templates to ensure security and best practice checks are being followed before deployment.
  • AWS CloudFormation Linter is a tool that validates AWS CloudFormation yaml/json templates against the AWS CloudFormation Resource Specification and performs additional checks.
  • BinSkim is a binary-level security checker that validates Window, Mac and *nix binaries.
  • Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
  • Checkstyle is a Java style guidelines checking.
  • Checkov is a static code analysis tool for infrastructure-as-code.
  • Clang Analyzer, the LLVM C/C++ checker, has added SARIF export.
  • CodeQL is a multilanguage, intraprocedural checker with a large rule set.
  • CodeSonar is a static analysis tool which identifies programming bugs that can result in system crashes, memory corruption, leaks, data races, and security vulnerabilities.
  • CredScan is a file scanner that detects plaintext secrets.
  • csdiff contains utilities for processing results of static analyzers, dynamic analyzers, and formal verification tools.
  • DartAnalyzer is a dart/flutter analyzer.
  • Detekt is a static code analysis tool for the Kotlin programming language.
  • DevSkim is a set of IDE checkers and language analyzers that provide inline security analysis.
  • Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
  • Flawfinder is a C/C++ source code security checker.
  • FortifyVulnerabilityExporter allows exporting vulnerabilities from Fortify on Demand and Fortify Software Security Center to third-party products and output formats.
  • GCC, the GNU Compiler Collection, can emit its diagnostics in SARIF format from GCC 13 onwards, and from GCC 15 onwards has a shared library (libgdiagnostics) which can emit SARIF.
  • GitHub CodeQL
  • GoSec is a GoLang security checker.
  • Kubesec, backed by ControlPlane.io provides Security risk analysis for Kubernetes resources.
  • Mayhem is an application security platform for identifying defects in software.
  • MobSF is is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
  • NodeJSScan is a Static security code scanner (SAST) for Node.js applications.
  • Psalm is an open source tool for finding security vulnerabilities in PHP.
  • PMD is a multilanguage source code analyzer.
  • PSScriptAnalyzer is a static code checker for PowerShell modules and scripts
  • PREfast is the C/C++ correctness checker behind the Microsoft compiler /analyze switch.
  • Roslyn is a platform for analyzing and rewriting C#/VB.NET code.
  • SARIF Pattern Matcher is a security-focused pattern matcher that detects (and in some cases authenticates) plaintext secrets, sensitive data, etc.
  • Security Code Scan is a Vulnerability Patterns Detector for C# and VB.NET.
  • Semgrep, sponsored by R2C, supports a variety of languages.
  • Sobelow is the security-focused static analyzer for the Elixir Phoenix Framework.
  • SpotBugs is a Java code checker.
  • TerraScan is a static code analysis tool for infrastructure-as-code.
  • TFSec uses static analysis of your terraform templates to spot potential security issues.
  • Trivy is a vulnerability scanner for containers and other artifacts.
  • Upgrade Assistant is a project that enables automation of common tasks related to upgrading .NET Framework projects to the latest versions of .NET.

Known Consumers of SARIF

Add a custom footer
Add a custom sidebar
Clone this wiki locally