Skip to content

feat: add SARIF v2.1.0 output for GitHub code scanning (fixes #82)#156

Open
mayank-dev-15 wants to merge 2 commits into
OWASP:mainfrom
mayank-dev-15:feature/sarif-output
Open

feat: add SARIF v2.1.0 output for GitHub code scanning (fixes #82)#156
mayank-dev-15 wants to merge 2 commits into
OWASP:mainfrom
mayank-dev-15:feature/sarif-output

Conversation

@mayank-dev-15

Copy link
Copy Markdown

Adds --sarif-out <path> CLI flag that writes SARIF v2.1.0 output for GitHub code scanning integration.

Changes:

  • New src/agent_harness/sarif.py: builds SARIF with rule IDs, severity mapping, evidence
  • CLI flag --sarif-out on the run subcommand
  • Maps pass/fail/error/not_run to SARIF levels (none/error/error/note)
  • Deduplicates rules across assertions
  • 8 tests covering version, tool driver, assertion levels, dedup, empty results

Usage:
bash agent-harness run scenario.yaml --sarif-out results.sarif

Then upload results.sarif to GitHub code scanning via github/codeql-action/upload-sarif.

Fixes #82

Detects when protected secrets appear in agent traces. Supports two config
styles:
- secrets: list of {name, value} pairs
- forbidden_outputs: list of literal strings

Evidence uses SHA-256 digests to avoid leaking actual secret values in
test output.

Added 7 tests covering clean traces, secrets in messages/tool calls,
forbidden outputs, and evidence digesting.
- New --sarif-out flag writes SARIF output for code scanning integration
- sarif.py: builds SARIF v2.1.0 with rule IDs, severity mapping, evidence
- Maps pass/fail/error/not_run to SARIF levels
- 8 tests covering version, tool driver, assertion levels, dedup, empty results

Fixes OWASP#82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add SARIF output for code scanning integrations

1 participant