docs(report): Improve SARIF reporting doc (#7655)

aquasecurity · Oct 7, 2024 · ab3a3b2 · ab3a3b2
1 parent 2c87f0c
commit ab3a3b2
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md
@@ -5,7 +5,7 @@ Trivy supports the following formats:
 
 - Table
 - JSON
-- [SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)
+- [SARIF][sarif-home]
 - Template
 - SBOM
 - GitHub dependency snapshot
@@ -252,13 +252,15 @@ $ trivy image -f json -o results.json golang:1.12-alpine
 |      Secret      |     ✓     |
 |     License      |     ✓     |
 
-[SARIF][sarif] can be generated with the `--format sarif` flag.
+[SARIF][sarif-home] (Static Analysis Results Interchange Format) complying with [SARIF 2.1.0 OASIS standard][sarif-spec] can be generated with the `--format sarif` flag.
 
 ```
 $ trivy image --format sarif -o report.sarif  golang:1.12-alpine
 ```
 
-This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
+This SARIF file can be uploaded to several platforms, including:
+- [GitHub code scanning results][sarif-github], and there is a [Trivy GitHub Action][action] for automating this process;
+- [SonarQube][sarif-sonar].
 
 ### GitHub dependency snapshot
 Trivy supports the following packages.
@@ -430,7 +432,10 @@ $ trivy convert --format table --severity CRITICAL result.json
 [cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [action]: https://github.com/aquasecurity/trivy-action
 [asff]: ../../tutorials/integrations/aws-security-hub.md
-[sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
+[sarif-home]: https://sarifweb.azurewebsites.net
+[sarif-spec]: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+[sarif-github]: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning
+[sarif-sonar]: https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports/
 [sprig]: http://masterminds.github.io/sprig/
 [github-sbom]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#about-dependency-submissions
 [github-sbom-submit]: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
@@ -450,4 +455,4 @@ $ trivy convert --format table --severity CRITICAL result.json
 [gradle-lockfile]: ../coverage/language/java.md#gradlelock
 [sbt-lockfile]: ../coverage/language/java.md#sbt
 [pubspec-lock]: ../coverage/language/dart.md#dart
-[cargo-binaries]: ../coverage/language/rust.md#binaries
+[cargo-binaries]: ../coverage/language/rust.md#binaries