sarif

package
v1.220.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package sarif parses SARIF 2.1.0 documents into a normalized Findings representation usable by hook ResultHandlers. It is intentionally lenient: tools emit subtly different SARIF (rule ID format, level mapping, location shape), so the parser tolerates missing or unusual fields rather than erroring out.

Reference spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultOutputFile 

func DefaultOutputFile(ctx *hooks.ExecContext) string

DefaultOutputFile returns ctx.OutputFile. Used by tools that write a single output file (checkov, trivy).

func NewResultHandler 

func NewResultHandler(opts HandlerOptions) hooks.ResultHandler

NewResultHandler returns a hooks.ResultHandler that reads SARIF from opts.OutputPath, parses it via Parse, and produces a Summary with a single markdown body used by every consumer (terminal, Pro, PR comments).

func RenderMarkdown 

func RenderMarkdown(f *Findings, opts RenderMarkdownOptions) string

RenderMarkdown produces a Summary-style markdown body from Findings. The same body is what appears in the user's terminal, on the Pro run page, and in PR comments — format symmetry per the PRD.

Types

type Finding 

type Finding struct {
	// RuleID is the tool's rule identifier (e.g., "CKV_AWS_19").
	RuleID string
	// Severity is the normalized severity bucket.
	Severity Severity
	// Message is the human-readable finding description. We prefer the
	// rule's shortDescription (when SARIF includes it — most tools do)
	// because tools like trivy stuff a multi-line envelope of metadata
	// into result.message.text instead of a short description.
	Message string
	// File is the file path (relative to scanned root) the finding refers to.
	File string
	// Line is the 1-based line number; 0 if unknown.
	Line int
	// Tool is the producer's driver name (e.g., "checkov", "trivy", "kics").
	Tool string
	// HelpURI is the per-rule remediation link from SARIF's
	// tool.driver.rules[].helpUri, when present. Renderers turn the
	// rule ID into a clickable link to this URL so users can jump to
	// the official guideline page directly from the summary.
	HelpURI string
}

Finding is one normalized issue extracted from a SARIF document.

type Findings 

type Findings struct {
	// Tool is the driver name from the first run (most SARIF docs have one run).
	Tool string
	// Findings is the flattened list across all runs in the document.
	Findings []Finding
}

Findings is a parsed SARIF document.

func Parse 

func Parse(data []byte) (*Findings, error)

Parse decodes a SARIF document and returns normalized Findings. Empty input or zero-finding documents yield a non-nil Findings with Tool="" and Findings=nil (callers should check Count()).

func (*Findings) Count 

func (f *Findings) Count() int

Count returns the total number of findings.

func (*Findings) CountsBySeverity 

func (f *Findings) CountsBySeverity() map[string]int

CountsBySeverity returns a map of severity name → count. Keys are the canonical lowercase severity names ("critical", "high", "medium", "low", "info"). Severities with zero findings are omitted.

func (*Findings) HighestSeverity 

func (f *Findings) HighestSeverity() Severity

HighestSeverity returns the most-severe Severity present, or SeverityInfo if there are no findings (so callers can treat "no findings" as info-level).

func (*Findings) SortedBySeverity 

func (f *Findings) SortedBySeverity() []Finding

SortedBySeverity returns a copy of Findings ordered most-severe first. Ties are broken by rule ID, then by file:line for stable output.

type HandlerOptions 

type HandlerOptions struct {
	// Kind is the registered hook kind name (e.g., "checkov", "trivy", "kics").
	Kind string
	// OutputPath returns the file path to read SARIF from given the
	// ExecContext. Use DefaultOutputFile for tools that write to a single
	// file (checkov, trivy). KICS needs a custom path because it writes
	// `results.sarif` inside ATMOS_OUTPUT_DIR rather than to ATMOS_OUTPUT_FILE.
	OutputPath func(ctx *hooks.ExecContext) string
	// MaxFindings caps how many individual findings appear in the markdown
	// table. Defaults to 10 when zero.
	MaxFindings int
}

HandlerOptions configures how NewResultHandler reads SARIF.

type RenderMarkdownOptions 

type RenderMarkdownOptions struct {
	// MaxFindings caps how many individual findings appear in the table.
	// Defaults to defaultMaxFindings when zero.
	MaxFindings int
	// Tool is shown in the header (e.g., "trivy", "checkov"). Falls back to
	// Findings.Tool when empty.
	Tool string
}

RenderMarkdownOptions controls how a Findings is rendered to markdown.

type Severity 

type Severity int

Severity is the normalized severity of a finding. It maps SARIF's `level` + `properties.severity` into a single Atmos-internal scale. 

const (
	SeverityCritical Severity = iota
	SeverityHigh
	SeverityMedium
	SeverityLow
	SeverityInfo
)

Severity values are ordered from most to least severe to make sorting natural (a < b means a is more severe).

func (Severity) String 

func (s Severity) String() string

String returns the canonical lowercase name.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.