Report Formats
Generic JSON
The default report uses our Generic Issue Format. It’s easy to read and process for both machine and human.
Static Analysis Results Interchange Format (SARIF)
We have experimental support for SARIF, but it’s very complex and is not well-supported by most tools (yet?). Hence we are still using our own custom format.
Excel and Comma-Separated Values
We support reports in the CSV format:
docker run --rm -v ".:/src" \
scanproject/standalone scan --format csvHere’s how it looks like when opened in Excel:
SonarQube
If you have SonarQube, you can now add all findings issues to the project dashboard. There are just two steps:
- Generate report
docker run --rm -v ".:/src" \
scanproject/standalone scan --format sonarqube- Import the report
-
SonarQube doesn’t support importing issues directly via the Web UI. Instead, you can include the report in your next Sonar Scanner run. Here’s an example using containers and our Java Application Scan:
We will skip the SonarLint scan if you are using the sonarqube report format to decrease the scan time and avoid issue duplication
|
docker run --rm \
-e SONAR_HOST_URL=<SONAR_SERVER_URL> \
-e SONAR_TOKEN=<TOKEN> \
-v .:/usr/src sonarsource/sonar-scanner-cli:latest \
-Dsonar.externalIssuesReportPaths=/usr/src/tsp-report.json \
-Dsonar.projectKey=javaspringvulny \
-Dsonar.java.binaries=buildAfter the command above finishes, you get all the findings together at one of the most popular dashboards in the industry:
More SonarQube screenshots
DefectDojo
If you prefer to use DefectDojo, we support both the SARIF and the Generic Findings Import.
| We recommend the "Generic Findings Import" option over SARIF. |
- Generate report
docker run --rm -v ".:/src" \
scanproject/standalone scan --format defectdojo- Import the report
-
Use the "Findings" → "Import Scan Results" menu option. Then select "Scan type" → "Generic Findings Import".
Visual instruction
DefectDojo screenshots:
