On this page


Importing issues from SARIF reports

SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.

The imported SARIF files must comply with the official SARIF format, version 2.1.0.


The analysis parameter sonar.sarifReportPaths accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.

Mandatory fields for SonarQube:

  • version: Must be “2.1.0”
  • runs[].tool.driver.name: Name of the tool that created the report
  • runs[].results[].message.text: Message of the external issue
  • runs[].results[].ruleId: ID of the corresponding rule in the tool that created the report 
  • runs[].results[].locations[]: SonarQube only uses the first item in the array. Must be a physical location
    • physicalLocation.artifactLocation.uri: Path of the file concerned by the issue
    • physicalLocation.region: Text range concerned by the issue, defined by the following fields:
      • startLine
      • startColumn (optional)
      • endLine (optional)
      • endColumn (optional)

If startColumn, endLine, endColumn are not specified, SonarQube automatically retrieves the full coordinates of the line. 

Optional fields: 

  • sarifLog.runs[].results[].level - severity of the issue. The following mapping applies:
SARIF 2.1.0SonarQube severity 
empty  or nullmajor (default)


  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
      "results": [
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          "locations": [
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
          "ruleId": "no-unused-vars"


There are a couple of limitations with importing SARIF issues:

  • You can't manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
  • You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.

© 2008-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.

Creative Commons License