In order to be integrated with Space, the code analysis tool must run on your CI server and be able to generate and export reports in the SARIF formatted.json file. The examples include Qodana, GitHub CodeQL, or lighter language-specific linters (such as ESLint/TSLint for JavaScript/TypeScript, KtLint for Kotlin, Clippy for Rust, Roslyn Analyzers for C#) that support SARIF export format either directly or with some add-on packages.
Space HTTP API has a dedicated endpoint that can accept code analysis reports as a sarif formatted .json file generated by a code analysis tool for modified code fragments.
The way you set up the integration depends on your CI server and code analysis tool specifics, however the general principles remain the same:
An automated job or pipeline is set up on your CI server to run when a new merge request is created or a commit is pushed to an existing merge request.
The job is triggered by a webhook configured on the Space end or, as an alternative, by polling your Space repository for changes in branches using the regular expression refs/merge/(.*?-MR-\\d+)/head which Space creates for each merge request.
When triggered, the job receives the branch name, extracts the merge request id, and requests Space API for the source and target commit id's.
Finally, the job launches a code analysis tool which is instructed to only analyse new changes. The resulting report is generated as a SARIF formatted file and uploaded to Space.
Code analysis API
Space HTTP API has a dedicated endpoint that can be used to receive SARIF reports from a code analysis tool for a specific commit:
POST /api/http/projects/{project}/code-reviews/{reviewId}/sarif/{commitId}
where
{project} is an identifier of the Space project which should display code analysis. Either a project ID or project key can be used: key:MY-PROJECT-KEY or id:my-project-id
{reviewId} is an identifier of the merge request. Either a merge request ID or number can be used: id:mr-id or number:mr-number
{commitId} is an identifier of the latest commit in the merge request: id:commit-id
A SARIF formatted report fetched from your code analysis tool is submitted in the request body as a .json file.
Authorization
This endpoint requires that the caller is granted the Report code issues for repository permission. Make sure to grant this permission to the Space application or user that will be uploading SARIF files to Space API.
To experiment with the endpoint and test your configuration, use Space HTTP API Playground:
On the main menu, click Extensions then choose API Playground.
Under the endpoints list, select Show experimental API.
In the endpoint search field, type sarif and click Upload SARIF report for merge request. The SARIF endpoint will be displayed.
Extensions then choose API Playground.