Understanding SARIF output
Static Analysis Results Interchange Format (SARIF) is an industry-standard JSON format for exchanging static analysis results, widely supported by IDEs, code hosts, and CI systems.
On this page:
Using SARIF output for QAC projects in Validate
SARIF output is produced as a JSON file with the content type application/sarif+json (UTF‑8).
Use the Web API search action with format=sarif. For example:
curl --data "action=search&user=myself&project=my_project&query=file:MyFile.c&format=sarif" http://localhost:8080/review/api
You can save it to a file with the .sarif extension and upload it to your chosen platform, or process it with SARIF-compatible tools.
SARIF contents
At a high level, SARIF ouput contains:
- A list of analysis results. Each result corresponds to one detected issue. If no defects are found, the analysis results will be empty.
- Tool metadata (such as product name, version, and language) in the standard
tool.driversection. For example, the name Perforce - A catalog of rules that appeared in the results.
- Taxonomies (such as CWE) and their items (taxa) that issues reference.
Each result typically produces the following:
- Rule identifier: The checker or rule code that triggered the result.
- Message: A human-readable description of the problem.
- Location: The file URI and optional line number (requires a compliance license).
- Severity level:
error,warning, ornote - Baseline state: How the result compares to a previous baseline (
new,unchanged, orabsent) - Suppression marker: If the issue was cited as
Ignore,Not a Problem, orCode Suppression, it appears as a suppression in SARIF output. - Issue ID: Shown in a custom property called
id.
Rules and help
SARIF output includes a rules collection that describes each rule that appeared in the results.
When a help page is available for a rule, the SARIF includes a helpUri link that allows you to open the rule documentation directly from the SARIF viewer. This may require logging in to the server for restricted documentation.
Taxonomies
SARIF output includes a taxonomies section, and links results and rules to specific taxonomy entries.
Severity levels
SARIF output uses the standard severity levels error, warning, and note.
The numeric severity codes for
error: Severity levelwarning: Severity levelnote: Severity level 0
Baseline state
The baseline state shows whether a result is new, unchanged since baseline, or no longer present:
new: a newly detected result (also used for continuous integration findings)unchanged: present in both current and baselineabsent: was present in baseline but not found now (fixed)
Example SARIF format
The following code snippet shows the format of one result using example values.
{
"version": "2.1.0",
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json",
"runs": [
{
"results": [
{
"ruleId": "ABV.GENERAL",
"ruleIndex": 0,
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///C:/workspace/issues/main.c"
},
"region": {
"startLine": 3
}
}
}
],
"message": {
"text": "Array 'a' of size 10 may use index value(s) 10"
},
"baselineState": "new",
"properties": {
"id": 1
}
}
],
"tool": {
"driver": {
"name": "Perforce Klocwork",
"version": "2026.1",
"fullName": "Perforce Klocwork 2026.1 (English, Japanese)",
"language": "en-US",
"productSuite": "Perforce Software, Inc. Static Code Analyzer",
"downloadUri": "https://portal.perforce.com/s/",
"informationUri": "https://www.perforce.com/products/static-analysis",
"organization": "Perforce Software, Inc.",
"rules": [
{
"id": "ABV.GENERAL",
"helpUri": "http://localhost:8080/documentation/help/en-us/reference/abv.general.htm",
"relationships": [
{
"target": {
"id": "Buffer Overflow"
},
"kinds": [
"subset"
]
}
]
}
]
}
},
"taxonomies": [
{
"name": "C and C++",
"taxa": [
{
"id": "Buffer Overflow",
"guid": "c794aa7c-c129-33b3-aa1b-6b10f72401c6",
"shortDescription": {
"text": "Buffer Overflow - Array Index Out of Bounds"
}
}
]
}
]
}
]
}