feat: add SARIF output support for GitHub Code Scanning

- Implement SARIF 2.1.0 formatter in cmd/gosqlx/internal/output package
- Add --output-format and --output-file flags to validate command
- Support for three error types: syntax, parsing, and tokenization errors
- Include fingerprinting for result deduplication
- Cross-platform path normalization for SARIF URIs
- Comprehensive test suite with 100% pass rate
- Update action.yml with sarif-output input and upload step
- Auto-enable quiet mode when outputting SARIF for clean JSON
- Refactor ValidationResult types to avoid circular imports

This enables GitHub Code Scanning integration for SQL validation errors,
displaying them inline in pull requests and the Security tab.

Related to issue #79

Author: Ajit Pratap Singh

action.yml

@@ -52,6 +52,11 @@ inputs:
     required: false
     default: 'false'
 
+  sarif-output:
+    description: 'Generate SARIF output for GitHub Code Scanning (requires security-events: write permission)'
+    required: false
+    default: 'false'
+
   gosqlx-version:
     description: 'GoSQLX version to use (default: latest)'
     required: false
@@ -297,6 +302,55 @@ runs:
           exit 1
         fi
 
+    - name: Generate SARIF output
+      id: sarif
+      if: inputs.sarif-output == 'true' && steps.find-files.outputs.file-count != '0'
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        echo "::group::Generate SARIF Report"
+
+        # Build validation command with SARIF output
+        CMD="$HOME/go/bin/gosqlx validate --output-format sarif --output-file gosqlx-results.sarif"
+
+        # Add config if provided
+        if [ -n "${{ inputs.config }}" ]; then
+          if [ -f "${{ inputs.config }}" ]; then
+            export GOSQLX_CONFIG="${{ inputs.config }}"
+          fi
+        fi
+
+        # Add dialect if provided
+        DIALECT="${{ inputs.dialect }}"
+        if [ -n "$DIALECT" ] && [[ "$DIALECT" =~ ^(postgresql|mysql|sqlserver|oracle|sqlite)$ ]]; then
+          CMD="$CMD --dialect $DIALECT"
+        fi
+
+        # Add strict mode if enabled
+        if [ "${{ inputs.strict }}" = "true" ]; then
+          CMD="$CMD --strict"
+        fi
+
+        # Read files and run validation to generate SARIF
+        cat /tmp/gosqlx-files.txt | tr '\n' ' ' | xargs $CMD || true
+
+        # Check if SARIF file was created
+        if [ -f "gosqlx-results.sarif" ]; then
+          echo "✓ SARIF report generated: gosqlx-results.sarif"
+          echo "sarif-file=gosqlx-results.sarif" >> $GITHUB_OUTPUT
+        else
+          echo "::warning::SARIF report generation failed"
+        fi
+
+        echo "::endgroup::"
+
+    - name: Upload SARIF to GitHub Code Scanning
+      if: inputs.sarif-output == 'true' && steps.sarif.outputs.sarif-file != ''
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ inputs.working-directory }}/gosqlx-results.sarif
+        category: gosqlx-sql-validation
+
     - name: Check SQL formatting
       id: format-check
       if: inputs.format-check == 'true' && steps.find-files.outputs.file-count != '0'

cmd/gosqlx/cmd/format.go

@@ -67,7 +67,7 @@ func formatRun(cmd *cobra.Command, args []string) error {
 		Check:      formatCheck,
 		MaxLine:    formatMaxLine,
 		Verbose:    verbose,
-		Output:     output,
+		Output:     outputFile,
 	})
 
 	// Create formatter with injectable output writers

cmd/gosqlx/cmd/root.go

@@ -4,11 +4,14 @@ import (
 	"github.com/spf13/cobra"
 )
 
+// Version is the current version of gosqlx CLI
+var Version = "1.4.0"
+
 var (
 	// Global flags
-	verbose bool
-	output  string
-	format  string
+	verbose    bool
+	outputFile string
+	format     string
 )
 
 // rootCmd represents the base command when called without any subcommands
@@ -42,6 +45,6 @@ func Execute() error {
 func init() {
 	// Global flags
 	rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "enable verbose output")
-	rootCmd.PersistentFlags().StringVarP(&output, "output", "o", "", "output file (default: stdout)")
+	rootCmd.PersistentFlags().StringVarP(&outputFile, "output", "o", "", "output file (default: stdout)")
 	rootCmd.PersistentFlags().StringVarP(&format, "format", "f", "auto", "output format: json, yaml, table, tree, auto")
 }

cmd/gosqlx/cmd/validate.go

@@ -1,21 +1,25 @@
 package cmd
 
 import (
+	"fmt"
 	"os"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 
 	"github.com/ajitpratap0/GoSQLX/cmd/gosqlx/internal/config"
+	"github.com/ajitpratap0/GoSQLX/cmd/gosqlx/internal/output"
 )
 
 var (
-	validateRecursive bool
-	validatePattern   string
-	validateQuiet     bool
-	validateStats     bool
-	validateDialect   string
-	validateStrict    bool
+	validateRecursive    bool
+	validatePattern      string
+	validateQuiet        bool
+	validateStats        bool
+	validateDialect      string
+	validateStrict       bool
+	validateOutputFormat string
+	validateOutputFile   string
 )
 
 // validateCmd represents the validate command
@@ -31,6 +35,12 @@ Examples:
   gosqlx validate -r ./queries/          # Recursively validate directory
   gosqlx validate --quiet query.sql      # Quiet mode (exit code only)
   gosqlx validate --stats ./queries/     # Show performance statistics
+  gosqlx validate --output-format sarif --output-file results.sarif queries/  # SARIF output for GitHub Code Scanning
+
+Output Formats:
+  text  - Human-readable output (default)
+  json  - JSON format for programmatic consumption
+  sarif - SARIF 2.1.0 format for GitHub Code Scanning integration
 
 Performance Target: <10ms for typical queries (50-500 characters)
 Throughput: 100+ files/second in batch mode`,
@@ -46,6 +56,11 @@ func validateRun(cmd *cobra.Command, args []string) error {
 		cfg = config.DefaultConfig()
 	}
 
+	// Validate output format
+	if validateOutputFormat != "" && validateOutputFormat != "text" && validateOutputFormat != "json" && validateOutputFormat != "sarif" {
+		return fmt.Errorf("invalid output format: %s (valid options: text, json, sarif)", validateOutputFormat)
+	}
+
 	// Track which flags were explicitly set
 	flagsChanged := make(map[string]bool)
 	cmd.Flags().Visit(func(f *pflag.Flag) {
@@ -58,10 +73,13 @@ func validateRun(cmd *cobra.Command, args []string) error {
 	}
 
 	// Create validator options from config and flags
+	// When outputting SARIF, automatically enable quiet mode to avoid mixing output
+	quietMode := validateQuiet || validateOutputFormat == "sarif"
+
 	opts := ValidatorOptionsFromConfig(cfg, flagsChanged, ValidatorFlags{
 		Recursive:  validateRecursive,
 		Pattern:    validatePattern,
-		Quiet:      validateQuiet,
+		Quiet:      quietMode,
 		ShowStats:  validateStats,
 		Dialect:    validateDialect,
 		StrictMode: validateStrict,
@@ -77,6 +95,31 @@ func validateRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	// Handle different output formats
+	if validateOutputFormat == "sarif" {
+		// Generate SARIF output
+		sarifData, err := output.FormatSARIF(result, Version)
+		if err != nil {
+			return fmt.Errorf("failed to generate SARIF output: %w", err)
+		}
+
+		// Write SARIF output to file or stdout
+		if validateOutputFile != "" {
+			if err := os.WriteFile(validateOutputFile, sarifData, 0644); err != nil {
+				return fmt.Errorf("failed to write SARIF output: %w", err)
+			}
+			if !opts.Quiet {
+				fmt.Fprintf(cmd.OutOrStdout(), "SARIF output written to %s\n", validateOutputFile)
+			}
+		} else {
+			fmt.Fprint(cmd.OutOrStdout(), string(sarifData))
+		}
+	} else if validateOutputFormat == "json" {
+		// JSON output format will be implemented later
+		return fmt.Errorf("JSON output format not yet implemented")
+	}
+	// Default text output is already handled by the validator
+
 	// Exit with error code if there were invalid files
 	if result.InvalidFiles > 0 {
 		os.Exit(1)
@@ -94,4 +137,6 @@ func init() {
 	validateCmd.Flags().BoolVarP(&validateStats, "stats", "s", false, "show performance statistics")
 	validateCmd.Flags().StringVar(&validateDialect, "dialect", "", "SQL dialect: postgresql, mysql, sqlserver, oracle, sqlite (config: validate.dialect)")
 	validateCmd.Flags().BoolVar(&validateStrict, "strict", false, "enable strict validation mode (config: validate.strict_mode)")
+	validateCmd.Flags().StringVar(&validateOutputFormat, "output-format", "text", "output format: text, json, sarif")
+	validateCmd.Flags().StringVar(&validateOutputFile, "output-file", "", "output file path (default: stdout)")
 }

cmd/gosqlx/cmd/validator.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/ajitpratap0/GoSQLX/cmd/gosqlx/internal/config"
+	"github.com/ajitpratap0/GoSQLX/cmd/gosqlx/internal/output"
 	"github.com/ajitpratap0/GoSQLX/pkg/sql/ast"
 	"github.com/ajitpratap0/GoSQLX/pkg/sql/parser"
 	"github.com/ajitpratap0/GoSQLX/pkg/sql/tokenizer"
@@ -32,24 +33,6 @@ type Validator struct {
 	Opts ValidatorOptions
 }
 
-// ValidationResult contains the results of a validation run
-type ValidationResult struct {
-	TotalFiles   int
-	ValidFiles   int
-	InvalidFiles int
-	TotalBytes   int64
-	Duration     time.Duration
-	Files        []FileValidationResult
-}
-
-// FileValidationResult contains the result for a single file
-type FileValidationResult struct {
-	Path  string
-	Valid bool
-	Size  int64
-	Error error
-}
-
 // NewValidator creates a new Validator with the given options
 func NewValidator(out, err io.Writer, opts ValidatorOptions) *Validator {
 	return &Validator{
@@ -60,7 +43,7 @@ func NewValidator(out, err io.Writer, opts ValidatorOptions) *Validator {
 }
 
 // Validate validates the given SQL files or patterns
-func (v *Validator) Validate(args []string) (*ValidationResult, error) {
+func (v *Validator) Validate(args []string) (*output.ValidationResult, error) {
 	startTime := time.Now()
 
 	// Expand file arguments (glob patterns, directories, etc.)
@@ -73,8 +56,8 @@ func (v *Validator) Validate(args []string) (*ValidationResult, error) {
 		return nil, fmt.Errorf("no SQL files found matching the specified patterns")
 	}
 
-	result := &ValidationResult{
-		Files: make([]FileValidationResult, 0, len(files)),
+	result := &output.ValidationResult{
+		Files: make([]output.FileValidationResult, 0, len(files)),
 	}
 
 	// Validate each file
@@ -116,8 +99,8 @@ func (v *Validator) Validate(args []string) (*ValidationResult, error) {
 }
 
 // validateFile validates a single SQL file
-func (v *Validator) validateFile(filename string) FileValidationResult {
-	result := FileValidationResult{
+func (v *Validator) validateFile(filename string) output.FileValidationResult {
+	result := output.FileValidationResult{
 		Path: filename,
 	}
 
@@ -235,7 +218,7 @@ func (v *Validator) isDirectory(path string) bool {
 }
 
 // displayStats displays validation statistics
-func (v *Validator) displayStats(result *ValidationResult) {
+func (v *Validator) displayStats(result *output.ValidationResult) {
 	fmt.Fprintf(v.Out, "\n📊 Validation Statistics:\n")
 	fmt.Fprintf(v.Out, "   Files processed: %d\n", result.TotalFiles)
 	fmt.Fprintf(v.Out, "   Valid files: %d\n", result.ValidFiles)
@@ -296,7 +279,8 @@ func ValidatorOptionsFromConfig(cfg *config.Config, flagsChanged map[string]bool
 	if flagsChanged["pattern"] {
 		opts.Pattern = flags.Pattern
 	}
-	if flagsChanged["quiet"] {
+	// Always use quiet flag value (may be set programmatically for SARIF output)
+	if flagsChanged["quiet"] || flags.Quiet {
 		opts.Quiet = flags.Quiet
 	}
 	if flagsChanged["stats"] {

cmd/gosqlx/cmd/validator_test.go

@@ -7,6 +7,8 @@ import (
 	"runtime"
 	"strings"
 	"testing"
+
+	"github.com/ajitpratap0/GoSQLX/cmd/gosqlx/internal/output"
 )
 
 // TestValidator_ValidateFile tests single file validation
@@ -394,7 +396,7 @@ func TestValidator_DisplayStats(t *testing.T) {
 	var buf bytes.Buffer
 	validator := NewValidator(&buf, &buf, ValidatorOptions{})
 
-	result := &ValidationResult{
+	result := &output.ValidationResult{
 		TotalFiles:   10,
 		ValidFiles:   8,
 		InvalidFiles: 2,