Skip to content

feat: add --sarif output flag for SARIF 2.1.0 support#342

Merged
sonukapoor merged 1 commit into
mainfrom
feature/issue-341-sarif-output
May 12, 2026
Merged

feat: add --sarif output flag for SARIF 2.1.0 support#342
sonukapoor merged 1 commit into
mainfrom
feature/issue-341-sarif-output

Conversation

@sonukapoor
Copy link
Copy Markdown
Collaborator

@sonukapoor sonukapoor commented May 12, 2026

Summary

  • Adds --sarif flag that writes a SARIF 2.1.0 file (cve-lite-scan-<timestamp>.sarif) to the current directory
  • One SARIF result per CVE per finding — enables per-CVE review and dismissal in GitHub Code Scanning
  • --sarif and --json can be combined; --sarif and --report are mutually exclusive
  • New src/utils/severity.ts extracts severity mapping into a shared utility
  • New website/docs/sarif.md documents the GitHub Actions upload workflow

Closes #341

@sonukapoor
feat: add --sarif output flag for SARIF 2.1.0 support
2cd0482 
- New src/output/sarif.ts with buildSarifOutput, writeSarifReport, and
  deriveLockfileUri; produces one result per CVE per finding with rule
  deduplication and optional fixes array from runnableFixCommand
- New src/utils/severity.ts extracts severityToSarifLevel as a shared utility
- --sarif and --json can be combined; --sarif and --report are mutually exclusive
- Refactored output block in index.ts so --sarif --json writes both files
  and still renders terminal output
- Adds SARIF guide page, CLI reference row, sidebar entry, and README update

Closes #341
@sonukapoor sonukapoor merged commit d2b5050 into main May 12, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add --sarif output flag for SARIF 2.1.0 support

1 participant

@sonukapoor