Feat: Add SARIF Output Support for Findings-Based Commands
Summary
Introduce SARIF (Static Analysis Results Interchange Format) output support for findings-oriented Codira commands.
The goal is to allow Codira results to integrate with existing code-scanning ecosystems, CI pipelines, IDEs, and repository quality dashboards.
Motivation
Codira already produces deterministic structured outputs such as JSON and Markdown.
SARIF would enable:
- GitHub Code Scanning integration
- CI/CD consumption
- IDE support
- interoperability with existing static-analysis tooling
- easier comparison with tools such as Semgrep, CodeQL, Ruff, Bandit, and Pylint
SARIF support also signals maturity and interoperability to potential adopters.
Scope
In Scope
Commands that naturally produce findings:
audit
calls (architecture violations)
refs (unresolved or suspicious references)
- future architecture analyzers
Out of Scope
Commands that do not produce findings:
Proposed Design
Introduce a common internal finding model:
Finding
├── rule_id
├── severity
├── message
├── file
├── line
├── column
├── category
└── metadata
Output renderers become:
- Terminal
- JSON
- Markdown
- SARIF
All renderers consume the same deterministic finding model.
Deliverables
Phase 1
- Internal finding abstraction
- SARIF serializer
- Unit tests
- Documentation
Phase 2
audit --format sarif
- GitHub Code Scanning validation
Phase 3
- Extend support to additional findings-oriented commands
Acceptance Criteria
- SARIF output validates against the SARIF schema.
- Output is deterministic.
- Results can be uploaded to GitHub Code Scanning.
- Existing JSON and Markdown outputs remain unchanged.
Feat: Add SARIF Output Support for Findings-Based Commands
Summary
Introduce SARIF (Static Analysis Results Interchange Format) output support for findings-oriented Codira commands.
The goal is to allow Codira results to integrate with existing code-scanning ecosystems, CI pipelines, IDEs, and repository quality dashboards.
Motivation
Codira already produces deterministic structured outputs such as JSON and Markdown.
SARIF would enable:
SARIF support also signals maturity and interoperability to potential adopters.
Scope
In Scope
Commands that naturally produce findings:
auditcalls(architecture violations)refs(unresolved or suspicious references)Out of Scope
Commands that do not produce findings:
indexctxembcapsProposed Design
Introduce a common internal finding model:
Output renderers become:
All renderers consume the same deterministic finding model.
Deliverables
Phase 1
Phase 2
audit --format sarifPhase 3
Acceptance Criteria