feat: Add SARIF 2.1.0 export for scan results#287
Conversation
…onfwsrijan#107) - Added SARIF 2.1.0 compliant export module in backend/app/reports/sarif.py - Added /api/scans/{job_id}/report/sarif endpoint for single scan reports - Added /api/scans/org/{org_job_id}/report/sarif for org-level reports - Added comprehensive tests with 14 test cases - SARIF output compatible with GitHub Advanced Security, SonarQube, DefectDojo Closes ionfwsrijan#107
|
🎉 Thank you @saidai-bhuvanesh for submitting a Pull Request! We're excited to review your contribution. Before Review✅ Ensure all CI checks pass ⚡ Want faster reviews and contributor support? Join our Discord community: 🔗 https://discord.gg/FcXuyw2Rs Maintainers and mentors are active there and can help resolve blockers quickly. Happy Contributing! 🚀 |
|
Correct PR TemplatePlease copy and paste the raw template below into your PR description and fill it out: > **Before opening:** make sure there is an issue tracking this work, and link it below. PRs without a linked issue may be closed without review.
## Linked issue
Closes #
## What this PR does
## Type of change
- [ ] Bug fix
- [ ] New feature
- [ ] ML model / training pipeline
- [ ] Refactor (no behaviour change)
- [ ] Documentation
- [ ] Tests only
## ML tier (if applicable)
- [ ] Tier 1 — Triage
- [ ] Tier 2 — Predictive
- [ ] Tier 3 — Autonomous
- [ ] Not ML-related
## Stack affected
- [ ] Backend
- [ ] Frontend
- [ ] Both
---
## Changes
### Backend
-
### Frontend
-
### New dependencies
-
### Database / schema changes
-
---
## Testing
**How did you test this?**
**Checklist**
- [ ] Tested locally end-to-end (upload ZIP or GitHub URL → scan → findings returned correctly)
- [ ] New ML model falls back gracefully when model file is absent
- [ ] No new `console.error` or unhandled Python exceptions introduced
- [ ] Added or updated tests where applicable
- [ ] `requirements.txt` / `package.json` updated if new dependencies added
- [ ] New model files (`.pkl`, `.pt`, etc.) are gitignored, not committed
---
## Anything reviewers should focus on
## Screenshots (if UI changed)
|
|
@saidai-bhuvanesh , Resolve template issue. |
Linked issue
Closes #107
What this PR does
Implements SARIF 2.1.0 export functionality for scan results. This enables compliance with external security platforms like GitHub Advanced Security, SonarQube, and DefectDojo. The implementation includes the SARIF 2.1.0 schema, severity mapping, tool mapping, and comprehensive finding conversion logic.
Type of change
ML tier (if applicable)
Stack affected
Changes
Backend
backend/app/reports/sarif.py)/api/scans/{job_id}/report/sarifendpoint for single scan reports/api/scans/org/{org_job_id}/report/sariffor org-level reportsFrontend
New dependencies
Database / schema changes
Testing
How did you test this?
Added comprehensive unit tests with 14 test cases covering severity mapping, tool mapping, finding conversion, and report generation. All tests pass successfully.
Checklist
Anything reviewers should focus on
Ensure SARIF output format is compliant with SARIF 2.1.0 specification and works with GitHub Advanced Security integration.