SARIF is an open industry standard that defines a JSON-based, machine-readable structure for representing the output of Static Analysis Tools. By adopting the common JSON-based SARIF schema, analysis results can be represented in a consistent format, simplifying the exchange, integration, and presentation of findings across various tools and platforms.
SARIF exports in Kiuwan
Kiuwan supports exporting components as a SARIF report. The SARIF export option is available in these product areas:
-
Code Security
- Location: Next to Vulnerabilities
- Export includes: Vulnerability data
-
Code Analysis
- Location: Next to Defects
- Export includes: Vulnerability and Quality data
These exports follow the official SARIF 2.1 specification and include all required fields. SARIF exports are also available via the Kiuwan API.
Example Output
Below is an example of the output you will receive:
{
"version": "2.1.0",
"$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "Kiuwan",
"version": "1.0.0",
"informationUri": "https://www.kiuwan.com",
"rules": [
{
"id": "OPT.PYTHON.SECURITY.CodeInjection",
"shortDescription": {
"text": "CodeInjection: Avoid non-neutralized user-controlled input in dynamic code"
},
"fullDescription": {
"text": "Code injection is general term for attack types which consist of injecting"
},
"helpUri": "https://www.kiuwan.com",
"properties": {
"category": "Security",
"defaultSeverity": "error"
}
}
]
}
},
"results": [
{
"ruleId": "OPT.PYTHON.SECURITY.CodeInjection",
"message": {
"text": "CodeInjection: Avoid non-neutralized user-controlled",
"markdown": "**ERROR:** User-controlled input in dynamic code evaluation"
},
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.py"
},
"region": {
"startLine": 1
}
}
}
]
}
],
"invocations": [
{
"executionSuccessful": true,
"startTimeUtc": "2025-11-16 08:53:38",
"endTimeUtc": "2025-11-16 08:53:56"
}
]
}
]
}These results include information on the violated rule, a description of the reported item and its results, together with the severity level of violation, the file URI, and the line number where the issue begins.
Permissions to view and export SARIF reports
The ability to view and export SARIF reports depends on the user’s administrative privileges and access permissions for the application.
The following users can view and export SARIF reports:
- Admins
- Users with the View Code Analysis or View Code Security administrative privileges
- Users with at least read access to the application
For more information, see:
- Permission Model-based Access Control > Administration privileges
- Permission Model based Access Control > Permissions on Portfolios and Applications