SUPPORTED-FORMATS.md

Supported Report Formats

The static analysis model supports the following report formats.

If your tool is not yet supported you can

1. export the issues of your tool to the native XML or JSON format (or any other format).
2. provide a pull request with a new parser.

If your tool is supported, but some properties are missing (icon, URL, etc.), please file a pull request.

ID	Icons	Name	Default Pattern
acu-cobol	-	AcuCobol	-
gnat	-	Ada Compiler (gnat)	-
android-lint	-	Android Lint	-
💡 Use the flag -p.
ansible-later		Ansible Later	-
💡 Use -p flag.
ansiblelint		Ansible Lint	-
💡 Use the flag -p.
scannercli		Aqua Scanner	-
💡 Use commandline scannercli scan 'image' --jsonfile results.json, see Aqua Scanner CLI for usage details.
trivy		Aquasec Trivy	-
💡 Use commandline trivy image -f json -o results.json 'image', see tivy on Github for usage details.
armcc	-	Armcc Compiler	-
aspectj	-	AspectJ	-
bandit		Bandit	-
bluepearl	-	Blue Pearl Visual Verification Suite	-
brakeman	-	Brakeman	**/brakeman-output.json
💡 Reads Brakeman JSON reports. Use commandline brakeman -o brakeman-output.json output. See Brakeman documentation for usage details.
buckminster	-	Buckminster	-
ccm	-	CCM	-
cmake		CMake	-
cpd	-	CPD	**/cpd.xml
cppcheck	-	CPPCheck	-
💡 Use options --xml --xml-version=2
csslint	-	CSS-Lint	-
cadence	-	Cadence Incisive	-
cargo	-	Cargo Check	-
💡 Use commandline cargo check --message-format json
clippy	-	Cargo Clippy	-
checkstyle		CheckStyle	**/checkstyle-result.xml
clair	-	Clair Scanner	-
💡 Reads Clair json data. Use commandline clair-scanner --report="/target/clair.json" output. See clair-scanner on Github for usage details.
clang	-	Clang	-
clang-analyzer	-	Clang Analyzer	-
💡 Use options --analyze --analyzer-output plist-multi-file
clang-tidy	-	Clang-Tidy	-
code-analysis	-	Code Analysis	-
code-climate	-	Code Climate	-
code-generator	-	Code Generator Tool	-
code-checker	-	CodeChecker	-
codenarc	-	CodeNarc	-
coolflux	-	Coolflux DSP Compiler	-
coverity	-	Coverity Scan	-
cpplint	-	Cpplint	-
💡 You need to use the Eclipse format with the option --output=eclipse
crosscore-embedded-studio	-	CrossCore Embedded Studio (CCES)	-
dscanner	-	DScanner	**/dscanner-report.json
dart	-	Dart Analyze	-
detekt	-	Detekt	-
💡 Use option --output-format xml.
docfx	-	DocFX	-
dockerlint	-	Dockerfile Lint	-
💡 Use commandline dockerfile_lint -j output. See dockerfile_lint on Github for usage details.
doxygen		Doxygen	-
💡 Execute doxygen:As shell command ( cat Doxyfile; echo WARN_FORMAT='$file:$line: $text' ) | doxygen -As batch command ( type Doxyfile & echo WARN_FORMAT='$file:$line: $text' ) | doxygen -
dr-memory	-	Dr. Memory	-
eslint		ESLint	-
💡 Use option --format checkstyle.
eclipse	-	Eclipse ECJ	-
💡 Create an output file that contains Eclipse ECJ output, in either XML or text format. To log in XML format, specify ".xml" as the file extension to the -log argument: java -jar ecj.jar -log <logfile>.xml <other arguments> To log in text format, specify any file extension except ".xml" to the -log argument: java -jar ecj.jar -log <logfile>.log <other arguments>
embedded-engineer	-	Embedded Engineer Tool	-
erlc	-	Erlang Compiler (erlc)	-
error-prone	-	Error Prone	-
findbugs	-	FindBugs	**/findbugsXml.xml
flake8	-	Flake8	-
💡 Run flake8 as flake8 --format=pylint
flawfinder	-	FlawFinder	-
💡 Use commandline flawfinder -S.
flex	-	Flex SDK Compiler	-
flow		Flow	-
foodcritic		Foodcritic	-
fxcop	-	FxCop	-
ghs-multi	-	GHS Multi Compiler	-
gcc	-	GNU C Compiler (gcc)	-
gcc3	-	GNU C Compiler 3 (gcc)	-
fortran	-	GNU Fortran Compiler	-
gendarme	-	Gendarme	-
golint	-	Go Lint	-
go-vet	-	Go Vet	-
grype		Grype	**/grype-report.json
hadolint	-	HadoLint	-
💡 Use commandline hadolint --format json Dockerfile output. See hadolint on Github for usage details.
iar-cstat	-	IAR C-STAT	-
💡 The IAR C-STAT static analysis tool finds potential issues in code by doing an analysis on the source code level. Use the following icstat command to generate the output on stdout in the correct format: icstat --db a.db --checks checks.ch commands commands.txt where the commands.txt contains: analyze - iccxxxxcompiler_opts cstat1.c analyze - iccxxxxcompiler_opts cstat2.c For details check the IAR C-STAT guide.
iar	-	IAR Compiler (C/C++)	-
💡 The IAR compilers need to be started with option --no_wrap_diagnostics. Then the IAR compilers will create single-line warnings.
xlc	-	IBM XLC Compiler	-
iblinter	-	IbLinter	-
💡 Use configuration reporter: \”checkstyle\”.
infer		Infer	-
💡 Use option --pmd-xml.
intel	-	Intel Compiler (C, Fortran)	-
idea	-	IntelliJ IDEA Inspections	-
jc-report	-	JCReport	-
jslint	-	JSLint	-
junit	-	JUnit	-
java	-	Java Compiler	-
javadoc-warnings	-	JavaDoc	-
js-hint	-	JsHint	-
klocwork	-	Klocwork	-
kotlin	-	Kotlin	-
ktlint	-	KtLint	-
💡 Use option --reporter=checkstyle.
msbuild	-	MSBuild	-
maven-warnings	-	Maven	-
taglist	-	Maven Taglist Plugin	**/taglist.xml
modelsim	-	Mentor Graphics Modelsim/Questa Simulators	-
metrowerks	-	Metrowerks CodeWarrior Compiler	-
💡 Ensure that the output from the CodeWarrior build tools is in the expected format. If there are warnings present, but they are not found, then it is likely that the format is incorrect. The mwccarm compiler and mwldarm linker tools may support a configurable message style. This can be used to enforce the expected output format, which may be different from Metrowerks CodeWarrior (and thus require a different tool). For example the following could be appended to the build flags: -msgstyle gcc -nowraplines
mypy	-	MyPy	-
nag-fortran	-	NAG Fortran Compiler	-
native	-	Native Analysis Model Format	-
💡 Create an output file that contains issues in the native analysis-model format, in either XML or JSON. The parser is even capable of reading individual lines of a log file that contains issues in JSON format.
ot-docker-linter	-	OT Docker Linter	-
💡 Use commandline ot-docker-linter audit --docker.file Dockerfile -o json output. See ot-docker-linter on Github for usage details.
owasp-dependency-check		OWASP Dependency Check	**/dependency-check-report.json
invalids	-	Oracle Invalids	-
pclint	-	PC-Lint Tool	-
💡 Use the following PC-Lint properties to create an output file in the correct format: -v // turn off verbosity -width(0) // don't insert line breaks (unlimited output width) -"format=%f(%l): %t %n: %m" -hs1 // The height of a message should be 1
pep8	-	PEP8	-
php	-	PHP Runtime	-
phpstan	-	PHPStan	-
💡 Use the options: --no-progress --error-format checkstyle
php-code-sniffer	-	PHP_CodeSniffer	-
💡 Use option --report=checkstyle.
pit		PIT	**/mutations.xml
pmd		PMD	**/pmd.xml
prefast	-	PREfast	-
pvs-studio	-	PVS-Studio	**/*.plog
perforce	-	Perforce Compiler	-
perl-critic	-	Perl::Critic	-
polyspace-parser	-	Polyspace Tool	-
💡 Reads reports of Polyspace Static Analysis Tool by MathWorks. Used for BugFinder and CodeProver result files. Report can be generated with command: polyspace-results-export -format csv -results-dir -output-name -key
protolint	-	ProtoLint	-
💡 Use protolint with options -reporter=json -output_file=protolint-report.json, see protoLint CLI options for usage details.
puppetlint	-	Puppet Lint	-
💡 You will need a recent enough version that supports --log-format flag. When running puppet-lint, make sure you use the log format %{path}:%{line}:%{check}:%{KIND}:%{message}. Complete example: find. -iname *.pp -exec puppet-lint --log-format "%{path}:%{line}:%{check}:%{KIND}:%{message}" {} \;
pydocstyle	-	PyDocStyle	-
pylint	-	Pylint	-
💡 Start Pylint using this custom message template (can also be configured via a pylintrc configuration file): pylint --msg-template='{path}:{line}: [{msg_id}, {obj}] {msg} ({symbol})' modules_or_packages > pylint.log
qac	-	QA-C Sourcecode Analyser	-
qt-translation	-	Qt translations	-
💡 Reads translation files of Qt, which are created by "lupdate" or "Linguist".
dupfinder	-	Resharper DupFinder	-
resharper	-	Resharper Inspections	-
revapi	-	Revapi	**/target/revapi-result.json
robocopy	-	Robocopy	-
rflint	-	Robot Framework Lint	-
rubocop	-	Rubocop	-
💡 Use commandline rubocop --format progress.
sarif	-	SARIF	-
sunc	-	SUN C++ Compiler	-
scala	-	Scala Compiler	-
semgrep		Semgrep	-
💡 Use --json
simian	-	Simian	-
simulink-check-parser	-	Simulink Check Tool	-
💡 Reads and Parses HTML reports of Simulink Check Tool by MathWorks. Report can be generated with command: ModelAdvisor.summaryReport(ModelAdvisor.run(, , , ))
sonar	-	SonarQube Issues	**/sonar-report.json
sphinx	-	Sphinx Build	-
spotbugs		SpotBugs	**/spotbugsXml.xml
stylecop	-	StyleCop	-
stylelint		Stylelint	-
💡 Requires stylelint-checkstyle-reporter. Use --custom-formatter node_modules/stylelint-checkstyle-reporter/index.js -o stylelint-warnings.xml
swiftlint	-	SwiftLint	-
💡 Use configuration reporter: \”checkstyle\”.
tasking-vx	-	TASKING VX Compiler	-
tnsdl	-	TNSDL Translator	-
tslint	-	TSLint	-
💡 Use option --format checkstyle.
code-composer	-	Texas Instruments Code Composer Studio	-
valgrind		Valgrind	-
💡 Use options --xml=yes --xml-file=valgrind_report.xml --child-silent-after-fork=yes, see the Valgrind User Manual for usage details.
veracode-pipeline-scanner		Veracode Pipeline Scanner	-
💡 Use commandline java -jar pipeline-scan.jar --json_output=true --json_output_file=results.json, see Veracode Pipeline Scanner for usage details.
diabc	-	Wind River Diab Compiler (C/C++)	-
xmllint	-	XML-Lint	-
yui	-	YUI Compressor	-
yamllint	-	YamlLint	-
💡 Use option -f parsable.
yoctocli		Yocto Scanner	-
💡 Use commandline bitbake <your product image>, add INHERIT += "cve-check" in your local.conf Yocto Scanner for usage details.
zptlint	-	ZPT-Lint	-
oelint-adv	-	oelint-adv	-
pnpm-audit		pnpm Audit	-
💡 Use commandline pnpm audit --json > pnpm-audit.json, see pnpm audit for usage details.