Skip to content

Analyze Command

Jump to bottom
David Alcantar edited this page May 17, 2023 · 26 revisions

The Analyze command scans a source directory for potential issues, using a default or external set of rules. If the -O argument is provided, output will be written to the provided filename. If -O is not provided, DevSkim will output the scan report to stdout.

Syntax

Usage: devskim analyze [arguments] [options]

Arguments:
  -I, --source-code             Required. Path to a directory containing files to scan or a single file to scan.
  -O, --output-file             Optional. Filename for result file, uses stdout if not set.

Options:
  -r                            Comma separated list of paths to rules files to use.
  --rule-ids                    Comma separated list of rule IDs to limit analysis to.
  --ignore-rule-ids             Comma separated list of rule IDs to ignore.
  --languages                   Path to custom json formatted Language file to specify languages. 
                                When specified, --comments must also be specified.
  --comments                    Path to custom json formatted Comments file to specify comments. 
                                When specified, --languages must also be specified.
  -o, --output-format           Format for output text. (Default: %F:%L:%C:%l:%c [%S] %R %N) 
  -f, --file-format             Format type for output. [text|sarif] (Default: sarif) 
  -s, --severity                Comma-separated Severities to match. 
                                (Default: Critical, Important, Moderate, BestPractice, ManualReview) 
  --confidence                  Comma-separated Severities to match. (Default: High, Medium) 
  -g, --ignore-globs            Comma-separated Globs for files to skip analyzing. (Default: **/.git/**, **/bin/**) 
  -d, --disable-supression      Disable comment suppressions.
  --disable-parallel            Disable parallel processing.
  -i, --ignore-default-rules    Ignore default rules.
  --suppress-standard-error     Suppress output to stderr.
  -c, --crawl-archives          Analyze files contained inside of archives.
  -E                            Use exit code for number of issues. Negative on error.
  --base-path                   Specify what path to root result URIs in Sarif results with. When not set, 
                                will generate paths relative to the source directory (or directory containing
                                the source file specified).
  --absolute-path               Output absolute paths (overrides --base-path).
  --suppress-error              Don't output to stderr.
  --skip-git-ignored-files      Set to skip files which are ignored by .gitignore. Requires git to be installed.
  --skip-excerpts               Set to skip gathering excerpts and samples to include in the report.
  --help                        Display help information.
  --version                     Display version information.

Example

devskim analyze -I /home/user/myproject/src/

Custom Rules

To use custom rules, use the -r option to provide a comma separated list of either directories containing rule files, or individual rule files. To use only custom rules, you must specify --ignore-default-rules.

For languages that DevSkim does not natively support, you can add rules by providing custom languages.json and comments.json files. These files are always paired and must be provided together, or not at all.

Examples

# use default rules AND custom rules
devskim analyze /home/user/myproject -r /my/rules/directory -r /my/other/rules

# use only custom rules
devskim analyze /home/user/myproject -r /my/rules/directory -r /my/other/rules -i

# use custom languages and comments files
devskim analyze /home/user/myproject -r /my/rules/directory \
    --languages /my/rules/directory/languages.json --comments /my/rules/directory/comments.json

Custom Severity

To look only for issues with particular severity (e.g. critical, important, etc.), use the -s|--severity option.

Example

devskim analyze /home/user/myproject --severity critical,important

Output File and Format

DevSkim scan results can be stored in text, json, and sarif file formats. The default format is Sarif.

# Scan and output Sarif
devskim analyze -I /home/user/myproject results.sarif

# simple output to a file (text)
devskim analyze /home/user/myproject results.txt -f text

# simple output to a file (json)
devskim analyze /home/user/myproject results.txt -f json

Custom Output Format

Text and JSON output formats can be cusotomized with the -o|--output-format switch.

Text

# Output file name and issue number 
devskim analyze /home/user/myproject results.txt -f text -o "%F [%R]"

# Output file name, line and column and issue name
devskim analyze /home/user/myproject results.txt -f text -o "%F:%L:%C - %N"

# Output into .csv file
devskim analyze /home/user/myproject results.csv -f text -o "%F,%L,%C,%R"

JSON

When using the json format, the --output-format switch is used to specify the list of json object properties.

# Output file name and issue number 
devskim analyze /home/user/myproject results.json -f json -o %F%R

# Output file name, line and column and issue name
devskim analyze /home/user/myproject results.json -f json -o %F%L%C%N

Exclude Files

Use the -g option to specify Glob patterns for identifying files to skip.

devskim analyze /home/user/myproject results.sarif -f sarif -g **/bin/**,**/obj/**,**/.git/**

Index

Clone this wiki locally