SARIF (Static Analysis Results Interchange Format) is the standard output format for security tools integrating with GitHub Advanced Security, Azure DevOps, and most CI security dashboards.
CVE Lite CLI already supports --json for machine-readable output and --report for HTML. SARIF would complete the CI integration story by letting findings appear as code-scanning alerts in GitHub.
Scope:
- Add
--sarif flag that writes a SARIF 2.1.0 JSON file
- Follow the
html-reporter.ts pattern: new file src/output/sarif-reporter.ts, no logic in index.ts
- Map findings to SARIF
result objects with severity, package name, CVE ID, and a fix hint in the message
- Output to stdout or a file path passed via
--sarif <path>
- Suppress terminal output when
--sarif is used (same behaviour as --json)
- Add tests in
tests/sarif-reporter.test.ts
Reference: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
SARIF (Static Analysis Results Interchange Format) is the standard output format for security tools integrating with GitHub Advanced Security, Azure DevOps, and most CI security dashboards.
CVE Lite CLI already supports
--jsonfor machine-readable output and--reportfor HTML. SARIF would complete the CI integration story by letting findings appear as code-scanning alerts in GitHub.Scope:
--sarifflag that writes a SARIF 2.1.0 JSON filehtml-reporter.tspattern: new filesrc/output/sarif-reporter.ts, no logic inindex.tsresultobjects with severity, package name, CVE ID, and a fix hint in themessage--sarif <path>--sarifis used (same behaviour as--json)tests/sarif-reporter.test.tsReference: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html