Skip to content

feat: Add SARIF 2.1.0 export for scan results#287

Open
saidai-bhuvanesh wants to merge 4 commits into
ionfwsrijan:mainfrom
saidai-bhuvanesh:feature/sarif-export-clean
Open

feat: Add SARIF 2.1.0 export for scan results#287
saidai-bhuvanesh wants to merge 4 commits into
ionfwsrijan:mainfrom
saidai-bhuvanesh:feature/sarif-export-clean

Conversation

@saidai-bhuvanesh

@saidai-bhuvanesh saidai-bhuvanesh commented Jul 6, 2026

Copy link
Copy Markdown

Before opening: make sure there is an issue tracking this work, and link it below. PRs without a linked issue may be closed without review.

Linked issue

Closes #107

What this PR does

Implements SARIF 2.1.0 export functionality for scan results. This enables compliance with external security platforms like GitHub Advanced Security, SonarQube, and DefectDojo. The implementation includes the SARIF 2.1.0 schema, severity mapping, tool mapping, and comprehensive finding conversion logic.

Type of change

  • Bug fix
  • New feature
  • ML model / training pipeline
  • Refactor (no behaviour change)
  • Documentation
  • Tests only

ML tier (if applicable)

  • Tier 1 — Triage
  • Tier 2 — Predictive
  • Tier 3 — Autonomous
  • Not ML-related

Stack affected

  • Backend
  • Frontend
  • Both

Changes

Backend

  • Added SARIF 2.1.0 export module (backend/app/reports/sarif.py)
  • Created /api/scans/{job_id}/report/sarif endpoint for single scan reports
  • Created /api/scans/org/{org_job_id}/report/sarif for org-level reports
  • Implemented severity mapping (critical→error, high→error, medium→warning, low→warning, info→note)
  • Implemented tool mapping for semgrep, osv, gitleaks

Frontend

  • No frontend changes

New dependencies

  • None

Database / schema changes

  • None

Testing

How did you test this?

Added comprehensive unit tests with 14 test cases covering severity mapping, tool mapping, finding conversion, and report generation. All tests pass successfully.

Checklist

  • Tested locally end-to-end
  • No new console.error or unhandled Python exceptions introduced
  • Added or updated tests where applicable
  • requirements.txt / package.json updated if new dependencies added
  • New model files (.pkl, .pt, etc.) are gitignored, not committed

Anything reviewers should focus on

Ensure SARIF output format is compliant with SARIF 2.1.0 specification and works with GitHub Advanced Security integration.

…onfwsrijan#107)

- Added SARIF 2.1.0 compliant export module in backend/app/reports/sarif.py
- Added /api/scans/{job_id}/report/sarif endpoint for single scan reports
- Added /api/scans/org/{org_job_id}/report/sarif for org-level reports
- Added comprehensive tests with 14 test cases
- SARIF output compatible with GitHub Advanced Security, SonarQube, DefectDojo

Closes ionfwsrijan#107
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🎉 Thank you @saidai-bhuvanesh for submitting a Pull Request!

We're excited to review your contribution.

Before Review

✅ Ensure all CI checks pass
✅ Complete the PR template
✅ Link the related issue

Want faster reviews and contributor support?

Join our Discord community:

🔗 https://discord.gg/FcXuyw2Rs

Maintainers and mentors are active there and can help resolve blockers quickly.

Happy Contributing! 🚀

@github-actions github-actions Bot added SSoC26 needs-work Work needed labels Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

⚠️ Automated Check: This PR does not strictly follow the required template. Please ensure you have not deleted any checkboxes or mandatory headings, and that you have written explanations under What this PR does and How did you test this?.

Correct PR Template

Please copy and paste the raw template below into your PR description and fill it out:

> **Before opening:** make sure there is an issue tracking this work, and link it below. PRs without a linked issue may be closed without review.

## Linked issue

Closes #

## What this PR does



## Type of change

- [ ] Bug fix
- [ ] New feature
- [ ] ML model / training pipeline
- [ ] Refactor (no behaviour change)
- [ ] Documentation
- [ ] Tests only

## ML tier (if applicable)

- [ ] Tier 1 — Triage
- [ ] Tier 2 — Predictive
- [ ] Tier 3 — Autonomous
- [ ] Not ML-related

## Stack affected

- [ ] Backend
- [ ] Frontend
- [ ] Both

---

## Changes

### Backend



-

### Frontend



-

### New dependencies



-

### Database / schema changes



-

---

## Testing

**How did you test this?**



**Checklist**

- [ ] Tested locally end-to-end (upload ZIP or GitHub URL → scan → findings returned correctly)
- [ ] New ML model falls back gracefully when model file is absent
- [ ] No new `console.error` or unhandled Python exceptions introduced
- [ ] Added or updated tests where applicable
- [ ] `requirements.txt` / `package.json` updated if new dependencies added
- [ ] New model files (`.pkl`, `.pt`, etc.) are gitignored, not committed

---

## Anything reviewers should focus on



## Screenshots (if UI changed)

@github-actions github-actions Bot added backend Backend issues feature New feature labels Jul 6, 2026
@github-actions github-actions Bot added the frontend Frontend issues label Jul 6, 2026
@arpit2006

Copy link
Copy Markdown
Collaborator

@saidai-bhuvanesh , Resolve template issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend Backend issues feature New feature frontend Frontend issues needs-work Work needed SSoC26

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Standardized SARIF telemetry generation for external platform compliance

2 participants