Open in app

Sign in

Write

Sign in

Snapp Mobile

Home

About

Follow publication

Snapp Mobile

Snapp Mobile Engineering and Design Blog

Follow publication

Uploading SARIF Reports to GitHub

Enrique López-Mañas
Snapp Mobile
Published in
3 min readOct 23, 2024

Recently I wanted to add Lint reports to a repository on GitHub. The goal is to report potential Lint violations when new code is committed, to make sure that all the committed code is lint-warning-free and pretty.

My first idea was to look for a GitHub action that could run ./gradlew lint and report it as a PR comment. After asking about ideas in the Android Study Group, Carter Jernigan and Justin Brooks suggested me to upload directly the SARIF files into GitHub. I wasn’t aware this was possible.

What is a SARIF file?

SARIF is a standardized format to represent the result of static analysis. It contains some metadata regarding the static analysis tool that was used to create the report, active rules, and found violations. This is an excerpt from a SARIF file, representing a Lint violation (not targeting the latest Android version):

By default, the output of ./gradlew lint does not include a report in a SARIF format, but this can be easily added with the following block in a Gradle file:

After adding and syncing this line, running Lint will now generate a report in a SARIF format:

One more problem that we may find here is that, if we have a multimodule project, this can result in several SARIF files that we need to merge and unify. This can easily be done via a GitHub action, which merges and upload the SARIF files:

Finally, GitHub will now post Lint violations on every PR, which you can check while reviewing it:

Then the code scanning section in GitHub will be activated, and all the current Lint violations will be displayed under https://github.com/ORG/REPO/security/code-scanning?query=pr%3A1406+is%3Aopen

This trick only works for open-source repositories, or those that use GitHub Advanced Security.

I share my thoughts about Software Engineering and life in general on my Mastodon account. If you have liked this article or if it did help you, feel free to share, 👏 it and/or leave a comment. This is the currency that fuels amateur writers.

Disclaimer: This article didn’t use Generative AI in its elaboration.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Kotlin
DevOps
Build
Github
Gradle
Snapp Mobile
Snapp Mobile

Published in Snapp Mobile

1K Followers
Last published Feb 27, 2025

Snapp Mobile Engineering and Design Blog

Enrique López-Mañas
Enrique López-Mañas

Written by Enrique López-Mañas

3.1K Followers
364 Following

I learn, and then I do things with what I have learnt

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams