Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.roboticks.io/llms.txt

Use this file to discover all available pages before exploring further.

SARIF 2.1.0 ingest

SARIF (Static Analysis Results Interchange Format) is the OASIS-standard JSON format for static-analysis output. Roboticks ingests SARIF 2.1.0 for any tool that emits it, so you don’t need a bespoke connector for every new scanner. Common SARIF-emitting tools that work out of the box:
ToolDomain
BanditPython security
SemgrepMulti-language patterns
CodeQL (GitHub Code Scanning)Multi-language deep analysis
Snyk CodeMulti-language security
ESLintJS/TS lint
BrakemanRuby/Rails security
TrivyContainer vulnerability
CheckovIaC security
PMD, SpotBugsJava
GosecGo security
Cargo audit (with --format json + post-process)Rust
The bundled OSS scanners (Bandit, Semgrep, trivy, syft) emit SARIF natively — see OSS scanners.

Why this exists

Before SARIF, every static-analysis tool had its own report format. Now most modern tools emit SARIF, and you can plug a new scanner in without us writing a custom parser.

Upload a SARIF file

rbtk findings upload --tool <name> findings.sarif
The CLI auto-detects SARIF by JSON structure ($schema field or runs[].tool.driver). The --tool label is free-form — used in the dashboard to group findings by source.

Wire it to your tool

bandit -r . -f sarif -o bandit.sarif
rbtk findings upload --tool bandit bandit.sarif

What the connector reads

For each run in the SARIF file, Roboticks extracts:
SARIF fieldRoboticks finding field
tool.driver.namesource tool name
tool.driver.versiontool version
results[].ruleIdrule ID
results[].levelseverity (mapped, see below)
results[].message.textmessage
results[].locations[0].physicalLocation.artifactLocation.urisource file
results[].locations[0].physicalLocation.region.startLineline number
results[].fingerprints (or partialFingerprints)deduplication key
results[].suppressionssuppression status
Multi-location results (data-flow / taint paths) are preserved — the first location is the primary, the rest appear under Code flow in the finding detail view.

Severity mapping

SARIF defines level: none | note | warning | error. Roboticks maps:
SARIF levelRoboticks severity
errorerror
warningwarning
noteinfo
nonesuppressed
Some tools (Snyk, Semgrep) emit a rank (0–100) instead — Roboticks reads properties.security-severity if present and overrides the mapping:
security-severityRoboticks severity
≥ 9.0critical
7.0–8.9error
4.0–6.9warning
< 4.0info

Suppressions

SARIF suppressions round-trip: 
"suppressions": [{
  "kind": "external",
  "justification": "false positive — input is sanitised in middleware"
}]
Findings with kind: external or kind: inSource (e.g., a # nosec comment) appear as dismissed in Roboticks and don’t gate PR Check Runs.

CI recipe (generic)

# .github/workflows/sarif-scan.yml
name: Static analysis (SARIF)
on: { pull_request: {} }

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions: { id-token: write, contents: read }
    steps:
      - uses: actions/checkout@v4

      - name: Run scanners
        run: |
          pip install bandit semgrep
          bandit -r . -f sarif -o bandit.sarif || true
          semgrep --config=auto --sarif --output semgrep.sarif . || true

      - run: pipx install roboticks-cli
      - run: rbtk auth oidc-from-github

      - name: Upload SARIF
        run: |
          rbtk findings upload --tool bandit  bandit.sarif
          rbtk findings upload --tool semgrep semgrep.sarif

Where findings appear

  • Traceability matrix — findings link to requirements via the source file’s @confirms-annotated test.
  • Findings view — filterable by tool, severity, suppression state, and rule ID.
  • Release evidence pack — SARIF Findings appendix in the PDF; raw SARIF JSON files in the ZIP.
  • PR Check RunRoboticks · Findings summarises new/resolved across all SARIF tools.

Validating a SARIF file

If your tool emits malformed SARIF (it happens), validate before upload: 
pip install sarif-tools
sarif-validate findings.sarif
Or use the SARIF Multitool: 
dotnet sarif validate findings.sarif
Roboticks rejects deliveries that fail JSON-schema validation against the SARIF 2.1.0 spec.

Multi-run SARIF files

A SARIF file may contain multiple runs[] (one tool per run). Roboticks handles them — each run becomes a separate finding source. Useful when one CI step bundles several scanners.

Limitations

  • Result kind pass is recorded as a passing check but not surfaced in the matrix. Most tools don’t emit these; if yours does, the data is preserved in the ZIP.
  • Inline taxonomies (e.g., taxonomies[]) are stored verbatim and queryable via API but not rendered specially in the UI.
  • SARIF 1.0 / 2.0 — convert via the SARIF Multitool to 2.1.0 first.

Troubleshooting

Run sarif-validate locally to see the specific violation. Common culprit: missing required $schema or version fields.
The physicalLocation.artifactLocation.uri is relative; Roboticks resolves it against the commit’s repo root. If the tool emits absolute paths from the build host, post-process with jq to strip the host prefix before uploading.
Most likely the tool isn’t emitting partialFingerprints, so Roboticks can’t dedupe across runs. CodeQL and Snyk emit them by default; for Semgrep, enable --metrics=on and check that the SARIF output has partialFingerprints populated.

Next

OSS scanners

The bundled SARIF-emitting tools shipped in paid tiers.

BYO connectors

When a custom commercial connector beats generic SARIF.