Add SARIF output format to mix hex.audit#1203
Open
maennchen wants to merge 2 commits into
Open
Conversation
Hex.Shell.warn/1 wrote to stdout via Mix.shell().info/1, so warnings like the expired-authentication notice or the stale mix.lock version warning polluted machine-readable stdout output such as `mix hex.outdated --json`. Route warn/1 through Mix.shell().error/1, which prints to stderr, keeping the yellow warning color. Warning-colored lines that are part of a command's regular stdout output (the retirement reason in the `mix deps.get` dependency listing and the retirement notice in `mix hex.info`) stay on stdout and are now printed as yellow-formatted info lines instead.
Add a --format sarif option that renders the audit result as a SARIF v2.1.0 document, plus an --output PATH option to write it to a file instead of stdout. This allows uploading audit findings to GitHub code scanning and other SARIF consumers; the moduledoc documents a complete GitHub Actions workflow using github/codeql-action/upload-sarif. Retirements map to one rule per retirement reason (HEX0001 to HEX0005, with security retirements defaulting to level error) and advisories map to one rule per advisory identifier so each alert carries its own severity score, title and help link. Results are anchored to the dependency entry in mix.lock, relative to the git repository root when available, with region and context region snippets. The run includes git-derived version control provenance (with credentials stripped from the repository URL), stable partial fingerprints, and messages that carry both resolved text and template arguments. Ignored findings are included with a suppression so they show up as closed alerts. The exit code behaves the same as with the human format. SARIF output requires the OTP 27 :json module, matching mix hex.outdated --json.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a
--formatsarif option that renders the audit result as a SARIF v2.1.0 document, plus an--output PATHoption to write it to a file instead of stdout. This allows uploading audit findings to GitHub code scanning and other SARIF consumers; themoduledocdocuments a complete GitHub Actions workflow usinggithub/codeql-action/upload-sarif.Retirements map to one rule per retirement reason (HEX0001 to HEX0005, with security retirements defaulting to level error) and advisories map to one rule per advisory identifier so each alert carries its own severity score, title and help link. Results are anchored to the dependency entry in
mix.lock, relative to the git repository root when available, with region and context region snippets. The run includes git-derived version control provenance (with credentials stripped fromthe repository URL), stable partial fingerprints, and messages that carry both resolved text and template arguments. Ignored findings are included with a suppression so they show up as closed alerts.
The exit code behaves the same as with the human format. SARIF output requires the OTP 27
jsonmodule, matchingmix hex.outdated --json.Needs #1202