Skip to content

Feat: Add SARIF Output Support for Findings-Based Commands #52

Description

@marco0560

Feat: Add SARIF Output Support for Findings-Based Commands

Summary

Introduce SARIF (Static Analysis Results Interchange Format) output support for findings-oriented Codira commands.

The goal is to allow Codira results to integrate with existing code-scanning ecosystems, CI pipelines, IDEs, and repository quality dashboards.

Motivation

Codira already produces deterministic structured outputs such as JSON and Markdown.

SARIF would enable:

  • GitHub Code Scanning integration
  • CI/CD consumption
  • IDE support
  • interoperability with existing static-analysis tooling
  • easier comparison with tools such as Semgrep, CodeQL, Ruff, Bandit, and Pylint

SARIF support also signals maturity and interoperability to potential adopters.

Scope

In Scope

Commands that naturally produce findings:

  • audit
  • calls (architecture violations)
  • refs (unresolved or suspicious references)
  • future architecture analyzers

Out of Scope

Commands that do not produce findings:

  • index
  • ctx
  • emb
  • caps

Proposed Design

Introduce a common internal finding model:

Finding
├── rule_id
├── severity
├── message
├── file
├── line
├── column
├── category
└── metadata

Output renderers become:

  • Terminal
  • JSON
  • Markdown
  • SARIF

All renderers consume the same deterministic finding model.

Deliverables

Phase 1

  • Internal finding abstraction
  • SARIF serializer
  • Unit tests
  • Documentation

Phase 2

  • audit --format sarif
  • GitHub Code Scanning validation

Phase 3

  • Extend support to additional findings-oriented commands

Acceptance Criteria

  • SARIF output validates against the SARIF schema.
  • Output is deterministic.
  • Results can be uploaded to GitHub Code Scanning.
  • Existing JSON and Markdown outputs remain unchanged.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions