Sprkl Docs
SupportSprkl websiteJoin Sprkl betaJoin Sprkl for CI
latest (0.0.70)
latest (0.0.70)
  • What is Sprkl?
  • Getting started
    • Install Sprkl
    • Instrument your code
      • Bare metal
      • Docker
      • Kubernetes
    • Start with a sample project with Docker Compose
  • Features
    • Instrumentation
      • Frontend tracing - NEW!
      • Selenium tracing - NEW!
      • Static analyzed code risks - NEW!
    • Dashboard
      • Personal vs. Global
      • Code Block Reference
    • Code markups
    • System Graph
    • Jaeger tracing
    • Jest integration
    • Detect runtime security vulnerabilities
  • Integrations and supported stack
  • Concepts
    • Analysis
  • FAQ
  • Support
  • Sprkl for GitHub Actions
    • Overview
    • Setup
    • Pulling Sprkl data to your IDE for further debugging
  • Troubleshooting
Powered by GitBook
On this page
  1. Features
  2. Instrumentation

Static analyzed code risks - NEW!

PreviousSelenium tracing - NEW!NextDashboard

Last updated 2 years ago

It is required to provide a SARIF file that has been created using a static analysis tool.

Sprkl integrates with SAST tools by leveraging a generated SARIF file and instruments the risks discovered with that tool. All you need to do is provide the which (i.e. - , ). Then, you will be able to see the spans of risks in the SARIF file that actually executed during runtime.

How to enable the instrumentation?

  1. Provide the path to the SARIF file to Sprkl CLI using the flag "--sarif".

  2. Also, it's recommended to provide the path where the static analysis was executed from using the flag "--sarif-source-root". If this is not provided, Sprkl will try to resolve it on its own.

Note that you can use a relative path for both the SARIF file path and the source root path.

sprkl --sarif=/path/to/sarif/file --sarif-source-root=. -- npm run start

What is the SARIF format?

SARIF (Static Analysis Results Interchange Format) format is a standardized file format used to exchange structured information about potential security vulnerabilities and other issues between different software tools.

How to create a SARIF file?

Video of Sprkl integration with Semgrep

on the project and export the results in SARIF format.

To create a SARIF file, you need to perform static analysis on your project using a tool like or . When executing the tool, you can typically specify a flag to export the results in SARIF format.

Semgrep
Snyk
Perform static analysis
Semgrep
Snyk
SARIF file
you generated using a static analysis tool
A trace which contains a span of a risk that triggered in runtime