Skip to content

feat: SARIF 2.1.0 compliance - ruleIndex, kind, and partialFingerprints#827

Merged
sonukapoor merged 4 commits into
mainfrom
feature/issue-417-sarif-2.1.0
Jul 11, 2026
Merged

feat: SARIF 2.1.0 compliance - ruleIndex, kind, and partialFingerprints#827
sonukapoor merged 4 commits into
mainfrom
feature/issue-417-sarif-2.1.0

Conversation

@sonukapoor

Copy link
Copy Markdown
Collaborator

Adds SARIF 2.1.0 compliance improvements to both the CVE scan output and the override hygiene output.

Changes:

  • ruleIndex added to every result, referencing the rule's position in runs[0].tool.driver.rules - required by GitHub Code Scanning for rule attribution
  • kind: "open" added to every result - required field in SARIF 2.1.0
  • partialFingerprints.primaryLocationLineHash added using a SHA-256 prefix of the finding identity - improves alert deduplication across runs
  • Shared sarifFingerprintHash utility extracted to src/utils/sarif.ts
  • severityToSarifLevel shared between both SARIF writers, eliminating duplication
  • Override SARIF writer builds a ruleIndexMap for O(1) lookups and throws on unknown rule IDs instead of silently falling back to index 0
  • defaultConfiguration.level removed from rule definitions (redundant - level belongs on results, not rules)

Validated against GitHub Code Scanning: uploaded SARIF, confirmed alert rendered correctly with title, severity, tool name, and rule ID.

Closes #417

@sonukapoor sonukapoor merged commit e6f791b into main Jul 11, 2026
6 checks passed
@sonukapoor sonukapoor deleted the feature/issue-417-sarif-2.1.0 branch July 11, 2026 14:17
…s, monorepo fingerprint, remove defaultConfiguration.level
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: SARIF 2.1.0 output format

1 participant