# SARIF reports
You can import [Static Analysis Results Interchange Format (SARIF)](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) reports into SonarQube Server. The issues will be taken into account by SonarQube Server in the analysis report, but the rules corresponding to these issues will not be visible on the **Rules** page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool.
## Import process
SonarQube Server manages the import of a SARIF issue as follows:
* It assigns the `CONVENTIONAL` code quality attribute and the `SECURITY` software quality to the issue.
* It manages the issue’s impact level on the software quality (security) as follows:
* If a SARIF `severity` field is provided at the rule level for the issue then the mapping below is used to retrieve the corresponding impact level.
{% tabs %}
{% tab title="MULTI-QUALITY RULE MODE" %}
| **Severity field in SARIF 2.1.0** | **Impact level in SonarQube Server** |
| --------------------------------- | ------------------------------------ |
| error | HIGH |
| warning | MEDIUM |
| note | LOW |
| none | LOW |
* Otherwise, the default MEDIUM impact level is applied.
{% endtab %}
{% tab title="STANDARD EXPERIENCE" %}
| **Severity field in SARIF 2.1.0** | **Impact level in SonarQube Server** |
| --------------------------------- | ------------------------------------ |
| error | CRITICAL |
| warning | MAJOR |
| note | MINOR |
| none | LOW |
* Otherwise, the default MAJOR impact level is applied.
{% endtab %}
{% endtabs %}
See [software-qualities](https://docs.sonarsource.com/sonarqube-server/10.8/core-concepts/software-qualities "mention") for details about the code quality concepts mentioned above.
## Setting up the import
To set up the import of SARIF reports into SonarQube Server:
1. Prepare your SARIF report files according to the import file specifications below.
2. Use on the scanner side the [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/10.8/analyzing-source-code/analysis-parameters "mention") `sonar.sarifReportPaths` to define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths.
## Import file specifications
The SARIF files must:
* Be UTF-8 file encoded.
* Comply with the [official SARIF format, version 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html).
### Mandatory fields
| **Field** | **Description** |
| ------------------------------- | ------------------------------------------------------------------------- |
| `version` | Must be set to "2.1.0". |
| `runs[].tool.driver.name` | Name of the tool that created the report. |
| `runs[].results[].message.text` | Message of the external issue. |
| `runs[].results[].ruleId` | Identifier of the corresponding rule in the tool that created the report. |
{% hint style="info" %}
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
{% endhint %}
### Optional fields
| **Field** | **Description** |
| ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `runs[].results[].locations[]` | SonarQube Server only uses the first item in the array. It must be a physical location. |
| `physicalLocation.artifactLocation.uri` | Path of the file concerned by the issue.
If no location is defined, the issue is raised at the project level.
|
| physicalLocation.region
| Text range concerned by the issue. Is defined by the following fields:
• startLine
• startColumn (optional)
• endLine (optional)
• endColumn (optional)
If startColumn, endLine, endColumn are not specified,SonarQube Server automatically retrieves the full coordinates of the line.
|
| `sarifLog.runs[].tool.driver.rules[].defaultConfiguration.level` | SonarQube Server uses this field to determine the issue’s impact level on security. |
| `sarifLog.runs[].tool.extensions[].rules[].defaultConfiguration.level` | SonarQube Server uses this field to determine the issue’s impact level on security if the driver field above is not used.
Note: When providing rules from the extensions object, the import will fail if there is no rules object in the driver.
|
{% hint style="warning" %}
The sarifLog.runs\[].results\[].level field which defines the issue’s severity will be ignored by SonarQube Server.
{% endhint %}
### Import file example
```css-79elbk
{
"version": "2.1.0",
"$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
"runs": [
{
"tool": {
"driver": {
"name": "a test linter",
"informationUri": "https://www….",
"version": "8.27.0"
}
},
"results": [
{
"level": "error",
"message": {
"text": "'toto' is assigned a value but never used."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
},
"region": {
"startLine": 1,
"startColumn": 5,
"endLine": 1,
"endColumn": 9
}
}
}
],
"ruleId": "no-unused-vars"
}
]
}
]
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-server/10.8/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.