The static analysis model supports the following report formats.
If your tool is not yet supported, you can
- export the issues of your tool to the native XML or JSON format (or any other format).
- provide a pull request with a new parser.
If your tool is supported, but some properties are missing (icon, URL, etc.), please file a pull request.
ID | Icons | Name | Default Pattern |
---|---|---|---|
acu-cobol | - | AcuCobol | - |
gnat | - | Ada Compiler (gnat) | - |
android-lint | - | Android Lint | - |
💡 Use the flag -p. | |||
ansible-later | Ansible Later | - | |
💡 Use -p flag. | |||
ansiblelint | Ansible Lint | - | |
💡 Use the flag -p. | |||
scannercli | Aqua Scanner | - | |
💡 Use commandline scannercli scan 'image' --jsonfile results.json , see Aqua Scanner CLI for usage details.
|
|||
trivy | Aquasec Trivy | - | |
💡 Use commandline trivy image -f json -o results.json 'image' , see tivy on Github for usage details.
|
|||
armcc | - | Armcc Compiler | - |
aspectj | - | AspectJ | - |
bandit | Bandit | - | |
bluepearl | - | Blue Pearl Visual Verification Suite | - |
brakeman | - | Brakeman | **/brakeman-output.json |
💡 Reads Brakeman JSON reports. Use commandline brakeman -o brakeman-output.json output.See Brakeman documentation for usage details. |
|||
buckminster | - | Buckminster | - |
ccm | - | CCM | - |
cmake | CMake | - | |
cpd | - | CPD | **/cpd.xml |
cppcheck | - | CPPCheck | - |
💡 Use options --xml --xml-version=2 | |||
csslint | - | CSS-Lint | - |
cadence | - | Cadence Incisive | - |
cargo | - | Cargo Check | - |
💡 Use commandline cargo check --message-format json
|
|||
clippy | - | Cargo Clippy | - |
checkstyle | CheckStyle | **/checkstyle-result.xml | |
clair | - | Clair Scanner | - |
💡 Reads Clair json data. Use commandline clair-scanner --report="/target/clair.json" output.See clair-scanner on Github for usage details. |
|||
clang | - | Clang | - |
clang-analyzer | - | Clang Analyzer | - |
💡 Use options --analyze --analyzer-output plist-multi-file | |||
clang-tidy | - | Clang-Tidy | - |
code-analysis | - | Code Analysis | - |
code-climate | - | Code Climate | - |
code-generator | - | Code Generator Tool | - |
code-checker | - | CodeChecker | - |
codenarc | - | CodeNarc | - |
coolflux | - | Coolflux DSP Compiler | - |
coverity | - | Coverity Scan | - |
cpplint | - | Cpplint | - |
💡 You need to use the Eclipse format with the option --output=eclipse
|
|||
crosscore-embedded-studio | - | CrossCore Embedded Studio (CCES) | - |
dscanner | - | DScanner | **/dscanner-report.json |
dart | - | Dart Analyze | - |
detekt | - | Detekt | - |
💡 Use option --output-format xml. | |||
docfx | - | DocFX | - |
dockerlint | - | Dockerfile Lint | - |
💡 Use commandline dockerfile_lint -j output.See dockerfile_lint on Github for usage details. |
|||
doxygen | Doxygen | - | |
💡 Execute doxygen:As shell command ( cat Doxyfile; echo WARN_FORMAT='$file:$line: $text' ) | doxygen - As batch command ( type Doxyfile & echo WARN_FORMAT='$file:$line: $text' ) | doxygen -
|
|||
dr-memory | - | Dr. Memory | - |
eslint | ESLint | - | |
💡 Use option --format checkstyle. | |||
eclipse | - | Eclipse ECJ | - |
💡 Create an output file that contains Eclipse ECJ output, in either XML or text format. To log in XML format, specify ".xml" as the file extension to the -log argument:
To log in text format, specify any file extension except ".xml" to the -log argument:
|
|||
embedded-engineer | - | Embedded Engineer Tool | - |
erlc | - | Erlang Compiler (erlc) | - |
error-prone | - | Error Prone | - |
findbugs | - | FindBugs | **/findbugsXml.xml |
flake8 | - | Flake8 | - |
💡 Run flake8 as |
|||
flawfinder | - | FlawFinder | - |
💡 Use commandline flawfinder -S .
|
|||
flex | - | Flex SDK Compiler | - |
flow | Flow | - | |
foodcritic | Foodcritic | - | |
fxcop | - | FxCop | - |
ghs-multi | - | GHS Multi Compiler | - |
gcc | - | GNU C Compiler (gcc) | - |
gcc3 | - | GNU C Compiler 3 (gcc) | - |
fortran | - | GNU Fortran Compiler | - |
gendarme | - | Gendarme | - |
golint | - | Go Lint | - |
go-vet | - | Go Vet | - |
grype | Grype | **/grype-report.json | |
hadolint | - | HadoLint | - |
💡 Use commandline hadolint --format json Dockerfile output.See hadolint on Github for usage details. |
|||
iar-cstat | - | IAR C-STAT | - |
💡 The IAR C-STAT static analysis tool finds potential issues in code by doing an analysis on the source code level. Use the following icstat command to generate the output on stdout in the correct format:
|
|||
iar | - | IAR Compiler (C/C++) | - |
💡 The IAR compilers need to be started with option --no_wrap_diagnostics. Then the IAR compilers will create single-line warnings. | |||
xlc | - | IBM XLC Compiler | - |
iblinter | - | IbLinter | - |
💡 Use configuration reporter: \”checkstyle\”. | |||
infer | Infer | - | |
💡 Use option --pmd-xml. | |||
intel | - | Intel Compiler (C, Fortran) | - |
idea | - | IntelliJ IDEA Inspections | - |
jc-report | - | JCReport | - |
jslint | - | JSLint | - |
junit | - | JUnit | - |
java | - | Java Compiler | - |
javadoc-warnings | - | JavaDoc | - |
js-hint | - | JsHint | - |
klocwork | - | Klocwork | - |
kotlin | - | Kotlin | - |
ktlint | - | KtLint | - |
💡 Use option --reporter=checkstyle. | |||
msbuild | - | MSBuild | - |
maven-warnings | - | Maven | - |
taglist | - | Maven Taglist Plugin | **/taglist.xml |
modelsim | - | Mentor Graphics Modelsim/Questa Simulators | - |
metrowerks | - | Metrowerks CodeWarrior Compiler | - |
💡 Ensure that the output from the CodeWarrior build tools is in the expected format. If there are warnings present, but they are not found, then it is likely that the format is incorrect. The mwccarm compiler and mwldarm linker tools may support a configurable message style. This can be used to enforce the expected output format, which may be different from Metrowerks CodeWarrior (and thus require a different tool). For example the following could be appended to the build flags:
|
|||
mypy | - | MyPy | - |
nag-fortran | - | NAG Fortran Compiler | - |
native | - | Native Analysis Model Format | - |
💡 Create an output file that contains issues in the native analysis-model format, in either XML or JSON. The parser is even capable of reading individual lines of a log file that contains issues in JSON format. |
|||
ot-docker-linter | - | OT Docker Linter | - |
💡 Use commandline ot-docker-linter audit --docker.file Dockerfile -o json output.See ot-docker-linter on Github for usage details. |
|||
owasp-dependency-check | OWASP Dependency Check | **/dependency-check-report.json | |
invalids | - | Oracle Invalids | - |
pclint | - | PC-Lint Tool | - |
💡 Use the following PC-Lint properties to create an output file in the correct format:
|
|||
pep8 | - | PEP8 | - |
php | - | PHP Runtime | - |
phpstan | - | PHPStan | - |
💡 Use the options: --no-progress --error-format checkstyle | |||
php-code-sniffer | - | PHP_CodeSniffer | - |
💡 Use option --report=checkstyle. | |||
pit | PIT | **/mutations.xml | |
pmd | PMD | **/pmd.xml | |
prefast | - | PREfast | - |
pvs-studio | - | PVS-Studio | **/*.plog |
perforce | - | Perforce Compiler | - |
perl-critic | - | Perl::Critic | - |
polyspace-parser | - | Polyspace Tool | - |
💡 Reads reports of Polyspace Static Analysis Tool by MathWorks. Used for BugFinder and CodeProver result files. Report can be generated with command: polyspace-results-export -format csv -results-dir -output-name -key |
|||
protolint | - | ProtoLint | - |
💡 Use protolint with options -reporter=json -output_file=protolint-report.json , see protoLint CLI options for usage details.
|
|||
puppetlint | - | Puppet Lint | - |
💡 You will need a recent enough version that supports --log-format flag . When running puppet-lint, make sure you use the log format %{path}:%{line}:%{check}:%{KIND}:%{message} . Complete example: find. -iname *.pp -exec puppet-lint --log-format "%{path}:%{line}:%{check}:%{KIND}:%{message}" {} \;
|
|||
pydocstyle | - | PyDocStyle | - |
pylint | - | Pylint | - |
💡 Start Pylint using this custom message template (can also be configured via a pylintrc configuration file):
|
|||
qac | - | QA-C Sourcecode Analyser | - |
qt-translation | - | Qt translations | - |
💡 Reads translation files of Qt, which are created by "lupdate" or "Linguist". | |||
dupfinder | - | Resharper DupFinder | - |
resharper | - | Resharper Inspections | - |
revapi | - | Revapi | **/target/revapi-result.json |
robocopy | - | Robocopy | - |
rflint | - | Robot Framework Lint | - |
rubocop | - | Rubocop | - |
💡 Use commandline rubocop --format progress .
|
|||
sarif | - | SARIF | - |
sunc | - | SUN C++ Compiler | - |
scala | - | Scala Compiler | - |
semgrep | Semgrep | - | |
💡 Use --json
|
|||
simian | - | Simian | - |
simulink-check-parser | - | Simulink Check Tool | - |
💡 Reads and Parses HTML reports of Simulink Check Tool by MathWorks. Report can be generated with command: ModelAdvisor.summaryReport(ModelAdvisor.run(, , , ))
|
|||
sonar | - | SonarQube Issues | **/sonar-report.json |
sphinx | - | Sphinx Build | - |
spotbugs | SpotBugs | **/spotbugsXml.xml | |
stylecop | - | StyleCop | - |
stylelint | Stylelint | - | |
💡 Requires stylelint-checkstyle-reporter. Use --custom-formatter node_modules/stylelint-checkstyle-reporter/index.js -o stylelint-warnings.xml
|
|||
swiftlint | - | SwiftLint | - |
💡 Use configuration reporter: \”checkstyle\”. | |||
tasking-vx | - | TASKING VX Compiler | - |
tnsdl | - | TNSDL Translator | - |
tslint | - | TSLint | - |
💡 Use option --format checkstyle. | |||
code-composer | - | Texas Instruments Code Composer Studio | - |
vale | - | Vale | **/vale-report.json |
💡 Reads vale report files. Use the flag --output=JSON | |||
valgrind | Valgrind | - | |
💡 Use options --xml=yes --xml-file=valgrind_report.xml --child-silent-after-fork=yes , see the Valgrind User Manual for usage details.
|
|||
veracode-pipeline-scanner | Veracode Pipeline Scanner | - | |
💡 Use commandline java -jar pipeline-scan.jar --json_output=true --json_output_file=results.json , see Veracode Pipeline Scanner for usage details.
|
|||
diabc | - | Wind River Diab Compiler (C/C++) | - |
xmllint | - | XML-Lint | - |
yui | - | YUI Compressor | - |
yamllint | - | YamlLint | - |
💡 Use option -f parsable. | |||
yoctocli | Yocto Scanner | - | |
💡 Use commandline bitbake <your product image> , add INHERIT += "cve-check" in your local.conf Yocto Scanner for usage details.
|
|||
zptlint | - | ZPT-Lint | - |
oelint-adv | - | oelint-adv | - |
pnpm-audit | pnpm Audit | - | |
💡 Use commandline pnpm audit --json > pnpm-audit.json , see pnpm audit for usage details.
|