SAF Framework

Normalize

Security tools speak different languages. Nessus outputs XML, SonarQube produces JSON, SCAP tools generate XCCDF results - each with different schemas and structures. The Normalize phase of the MITRE SAF converts security scan results from dozens of different tools into a common format, enabling unified analysis, comparison, and visualization across your entire security toolchain.

View SAF CLIView Framework

The Problem

Security Tool Data Fragmentation

Organizations use multiple security tools - vulnerability scanners, static code analyzers, compliance checkers, penetration testing tools, and more. Each tool produces results in its own proprietary format, making it nearly impossible to:

<ul class="mt-4 space-y-2">
  <li><strong>Compare results</strong> across different tools and timeframes</li>
  <li><strong>Aggregate findings</strong> into a unified security dashboard</li>
  <li><strong>Track remediation</strong> progress consistently across tools</li>
  <li><strong>Demonstrate compliance</strong> using evidence from multiple sources</li>
</ul>

<p class="mt-4">Without normalization, security teams waste countless hours manually correlating data, building custom integrations, and maintaining fragile parsing scripts that break with every tool update.</p>

The Solution

Heimdall Data Format (HDF)

MITRE SAF uses the Heimdall Data Format (HDF) as the common language for security data. HDF is a standardized JSON schema that represents security findings in a consistent structure, regardless of the source tool. The SAF CLI provides converters that transform outputs from popular security tools into HDF, enabling unified analysis and visualization.

Unified Schema

HDF provides a consistent structure for representing security controls, test results, severity levels, and remediation guidance. Whether the source is InSpec, Nessus, or SonarQube, the normalized output follows the same schema.

Bi-directional Conversion

SAF CLI converts security tool outputs into HDF for analysis, and can also export HDF data back into formats like CSV, XLSX, or tool-specific formats for integration with existing workflows and reporting systems.

Comprehensive Coverage

SAF CLI supports conversion from 20+ security tools including vulnerability scanners (Nessus, Tenable.io), code analyzers (SonarQube, Fortify), cloud security (AWS Config, Prowler), compliance tools (SCAP, Chef InSpec), and more.

Supported Tools

Convert From Any Security Tool

SAF CLI provides converters for a wide range of security tools across different categories. Each converter transforms the tool's native output format into HDF, enabling unified analysis in Heimdall.

Vulnerability Scanners

• Nessus (.nessus XML)
• Tenable.io (API)
• Qualys (XML)
• OpenSCAP (XCCDF)
• Anchore (JSON)

Code Analysis

• SonarQube (API)
• Fortify (FPR)
• Checkmarx (XML)
• Snyk (JSON)
• OWASP ZAP (JSON/XML)

Cloud Security

• AWS Config (JSON)
• Prowler (JSON/CSV)
• ScoutSuite (JSON)
• CloudSploit (JSON)
• Prisma Cloud (CSV)

Compliance Tools

• Chef InSpec (JSON)
• SCAP (XCCDF)
• Burp Suite (XML)
• Nikto (XML)
• Metasploit (XML)

Container Security

• Trivy (JSON)
• Anchore Engine (JSON)
• Clair (JSON)
• Twistlock (JSON)
• Aqua Security (JSON)

Other Tools

• JFrog Xray (JSON)
• SARIF (JSON)
• DBProtect (Check Files)
• ASFFResults (JSON)
• Splunk (HEC)

Tools

Normalize with SAF CLI

Use the SAF CLI to convert security tool outputs into HDF and export results for reporting.

SAF CLI Converters

Convert security scan results from 20+ tools into Heimdall Data Format (HDF). Simple command-line interface: saf convert nessus2hdf -i scan.nessus -o results.json. Batch convert multiple files, automate in CI/CD pipelines, or integrate into existing security workflows.

Export Options

Export HDF results into multiple formats for reporting and integration. Generate CSV spreadsheets for executives, XLSX workbooks for auditors, or CKL files for STIG compliance reporting. Share data with stakeholders in the format they need.

SAF CLI