Verify Tool Evidence in SARIF
Type: Rule
ID: sarif-tool-evidence
Source: v2/rules/sarif/verify-tool-evidence.yaml
Rego Source: verify-tool-evidence.rego
Labels: SARIF
Verify required tools were used to generate the SARIF report.
This rule requires SARIF Evidence. See here for more details.
Evidence IS required for this rule and will fail if missing.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Usage example
uses: sarif/verify-tool-evidence@v2
Mitigation
Confirms the SARIF report originates from the correct scanning tool, ensuring the evidence is trustworthy.
Description
This rule checks the tool field in the SARIF evidence to verify that it matches the expected scanner
(e.g., "Semgrep Vulnerability Scanner" or "Trivy Vulnerability Scanner"). Set evidence match criteria:
the tool field must equal the expected scanner name to ensure the report is generated by the correct tool.
A mismatch indicates that the report may not be reliable.
Evidence Requirements
- Evidence must adhere to the SARIF 2.1.0 schema.
- The report must include a valid
toolfield.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| tool | semgrep |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |