Skip to content

CLI-04: Emit SARIF for code scanning

–format sarif produces a SARIF 2.1.0 log ready to upload to GitHub code scanning.

Builds on: CLI-03: Switch to JSON output

A terminal session: the command as you’d run it, followed by the output it prints; trailing comments note the exit status.

Terminal window
# same run as SARIF 2.1.0 for GitHub code scanning (no run summary)
markdown-contract validate ./decisions --contract decisions.contract.yaml --format sarif > results.sarif
# results.sarif:
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "markdown-contract",
"rules": [
{
"id": "structure/section-missing"
}
]
}
},
"results": [
{
"ruleId": "structure/section-missing",
"level": "error",
"message": {
"text": "required section ‘Decision’ is missing"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "D-9001.md"
},
"region": {
"startLine": 8
}
}
}
]
}
]
}
]
}
# SARIF level mapping: error→error, warn→warning, report→note; exit status: 1
  • --format sarif
  • formatSarif (SARIF 2.1.0, driver.rules, physicalLocation.region.startLine)
  • error→error, warn→warning, report→note