How does OFF relate to SARIF?

[davewichers]

Seems like this effort is very similar to: https://github.com/sarif-standard

Static Analysis Results Interchange Format (SARIF) - A proposed standard for the output format of static analysis tools.

Maybe join forces with, or simply work on that instead? Ideally, the format would support results from any type of appsec tool, not just static (e.g., SAST, DAST, IAST, and SCA (known CVEs in libraries)).

[mkonda]

Interesting project. Thanks for the pointer, it was not on my radar.

The idea with OFF was to be able to support any kind of findings and to have a lightweight way to standardize the idea of a "finding". We also built simple tools around this (eg. crush and fkit).

The sarif schema is fairly specific to static analysis with its focus on attachments and coding areas.

I'd certainly be open to discussing overlaps more but at a glance it doesn't seem to be easily merged.

I need to do a better job with the documentation here and the way the tooling works in practice around it.

[ig596]

Actually SARIF is starting to incorporate DAST findings to be a one stop shop format and is already leveraged by a number of companies if they wish to integrate with GitHub. Definitely recommend trying to help out there over reinventing the wheel.