Skip to main content

SARIF Export

Primus Security can export scan results as SARIF 2.1.0 — the standard format supported by GitHub Advanced Security (GHAS), Azure DevOps, VS Code, and GitLab SAST.

This is a key differentiator over SonarQube Community Edition, which does not natively produce SARIF output.

Basic usage

using PrimusSaaS.Security.Reporting.Formatters;

var scanResult = await scanner.ScanAsync("/path/to/project");

// Export to SARIF JSON string
string sarifJson = SarifExporter.ToJson(
    scanResult,
    catalog:     rulesCatalog,   // optional — enriches rules with titles and help URIs
    projectRoot: "/path/to/project"  // optional — makes file URIs relative
);

// Write to file
await File.WriteAllTextAsync("results.sarif", sarifJson);

Extension methods

The package also ships ScanResult extension methods for convenience:

using PrimusSaaS.Security.Reporting.Formatters;

// On the scan result directly
string sarif = scanResult.ToSarifJson(catalog, projectRoot);
byte[] bytes = scanResult.ToSarifBytes(catalog, projectRoot);

await File.WriteAllBytesAsync("results.sarif", bytes);

GitHub Actions — upload to Code Scanning

# .github/workflows/security.yml
- name: Run Primus Security scan
  run: dotnet run --project tools/PrimusSecurity.Cli -- /github/workspace --sarif results.sarif

- name: Upload SARIF to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: results.sarif

Results appear in Security → Code scanning alerts in your GitHub repository. Each finding links directly to the file and line with the full rule explanation.

Azure DevOps — Publish to Security tab

# azure-pipelines.yml
- task: DotNetCoreCLI@2
  displayName: Primus Security Scan
  inputs:
    command: run
    projects: tools/PrimusSecurity.Cli
    arguments: $(Build.SourcesDirectory) --sarif $(Build.ArtifactStagingDirectory)/results.sarif

- task: PublishPipelineArtifact@1
  inputs:
    targetPath: $(Build.ArtifactStagingDirectory)/results.sarif
    artifact: SecurityResults

Use the SARIF SAST Results Azure DevOps extension to render findings inline in the build tab.

VS Code — SARIF Viewer

Install the SARIF Viewer extension. Open results.sarif directly to browse findings with source code navigation.

What the SARIF file contains

  • rules — every unique rule ID with description, severity, OWASP/CWE references, and a helpUri linking to the Primus rule catalog
  • results — each finding with file URI, line number, code snippet, and suppression info
  • properties — top-level qualityGateStatus, totalFindings, criticalCount, highCount, scanId for CI scripts that need fast metadata without parsing the full results list

Suppressed findings

Findings that have been suppressed via // primus-suppress or [PrimusSuppress] are included in the SARIF output with suppressions[].kind = "inSource" so tooling can show the full picture while respecting your triage decisions.