Getting Started

Sheriff is an MCP server that helps AI agents efficiently fix static analysis issues from SARIF (Static Analysis Results Interchange Format) reports — the standard output format supported by most static analysis tools.

Why Sheriff?

AI agents can fix a few static analysis issues directly from a SARIF file. But when reports contain dozens to hundreds of issues across many files, agents hit a wall:

Context overload - Large issue lists overwhelm the context window and agents lose track of progress
Lost progress - Work disappears on context compaction or session restart with no external record
Inefficient navigation - Jumping between files repeatedly wastes tokens and increases the chance of missing issues

Sheriff solves these problems by providing:

Intelligent batching - Issues grouped by file for efficient fixing
Persistent progress - State survives compaction and restarts
Scope filtering - Focus on specific rules, severities, or file patterns
Compact responses - Minimal context usage with abbreviated field names

Quick Start

1. Installation Download the JAR or use Docker

2. Agent Setup Configure your MCP client to use Sheriff

Basic Workflow

Once installed and configured, the workflow is:

1. Run static analysis     →  qodana scan
2. Load into Sheriff       →  sheriff load target="results.sarif"
3. Get next file's issues  →  sheriff next
4. Fix all issues in file  →  [edit the code]
5. Mark as done            →  sheriff done fps=[...] status="fixed"
6. Repeat 3-5              →  until remaining = 0

Supported Tools

Sheriff works with any static analysis tool that produces SARIF output:

Qodana - Java, Kotlin, JavaScript, Python
Semgrep - Multi-language
ESLint - JavaScript/TypeScript
CodeQL - Multi-language
SonarQube - Multi-language
SpotBugs - Java
Bandit - Python
Checkov - Infrastructure as Code
Trivy - Containers and IaC