Static analyzed code risks - NEW!

It is required to provide a SARIF file that has been created using a static analysis tool.

Sprkl integrates with SAST tools by leveraging a generated SARIF file and instruments the risks discovered with that tool. All you need to do is provide the SARIF file which you generated using a static analysis tool (i.e. - Semgrep, Snyk). Then, you will be able to see the spans of risks in the SARIF file that actually executed during runtime.

How to enable the instrumentation?

  1. Perform static analysis on the project and export the results in SARIF format.

  2. Provide the path to the SARIF file to Sprkl CLI using the flag "--sarif".

  3. Also, it's recommended to provide the path where the static analysis was executed from using the flag "--sarif-source-root". If this is not provided, Sprkl will try to resolve it on its own.

Note that you can use a relative path for both the SARIF file path and the source root path.

sprkl --sarif=/path/to/sarif/file --sarif-source-root=. -- npm run start

What is the SARIF format?

SARIF (Static Analysis Results Interchange Format) format is a standardized file format used to exchange structured information about potential security vulnerabilities and other issues between different software tools.

How to create a SARIF file?

To create a SARIF file, you need to perform static analysis on your project using a tool like Semgrep or Snyk. When executing the tool, you can typically specify a flag to export the results in SARIF format.

Video of Sprkl integration with Semgrep

Last updated