SARIF (LDRA, Polyspace, Coverity, Semgrep, CodeQL) Integration
Static-analysis tools are often the source of truth for whether a safety requirement is met at the code level. Roboticks ingests SARIF 2.1.0 output from any tool that emits it — commercial (LDRA, Polyspace, Coverity) or OSS (Semgrep, CodeQL, cppcheck, clang-tidy, Bandit) — and bundles the findings into the same per-release evidence pack as your dynamic-test results.
Features
- •SARIF 2.1.0 — the format LDRA, Polyspace, Coverity, Semgrep, CodeQL, cppcheck all emit
- •Findings shown in matrix with severity, ruleId, source file:line
- •Suppressions tracked across runs (no re-triage on every PR)
- •Bundled into evidence pack ZIP for audit handoff
- •OSS tools bundled in paid tiers; commercial BYO connectors itemized
Getting Started
- 1
Run your static-analysis tool
In your existing CI step, emit SARIF output. Most tools support --output-format=sarif or equivalent.
- 2
Upload as a test artifact
From the same CI job that runs colcon test, attach the SARIF file via the rbtk CLI: rbtk sarif upload analysis.sarif.
- 3
Review in the dashboard
Findings appear in the Test Run page alongside JUnit results. Suppress noise in-UI; suppressions persist across runs.