Introduce --format flag to conditionally generate SARIF report#70
Merged
gayaldassanayake merged 11 commits intoballerina-platform:mainfrom Aug 6, 2025
nureka-rodrigo:sarif
Merged
Introduce --format flag to conditionally generate SARIF report#70gayaldassanayake merged 11 commits intoballerina-platform:mainfrom nureka-rodrigo:sarif
--format flag to conditionally generate SARIF report#70gayaldassanayake merged 11 commits intoballerina-platform:mainfrom
nureka-rodrigo:sarif
Conversation
nureka-rodrigo
changed the title
--sarif flag to conditionally generate SARIF report--format flag to conditionally generate SARIF report
| 5. Run analysis and specify the output format (json or sarif). | ||
|
|
||
| ```bash | ||
| bal scan --format=sarif |
Contributor
There was a problem hiding this comment.
Suggested change
| bal scan --format=sarif | |
| $ bal scan --format=sarif |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces SARIF (Static Analysis Results Interchange Format) support as an alternative to the existing JSON output format. The implementation adds a new --format flag to the CLI that accepts either "json" or "sarif" values, with JSON remaining the default format to preserve backward compatibility.
Key changes include:
- Added
ReportFormatenum to handle format validation and conversion - Implemented SARIF output generation with proper schema compliance and severity mapping
- Updated CLI help documentation and test coverage for the new format option
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scan-command/src/main/java/io/ballerina/scan/ReportFormat.java | New enum defining supported report formats with validation |
| scan-command/src/main/java/io/ballerina/scan/internal/ScanCmd.java | Updated command class to support format option and SARIF output generation |
| scan-command/src/main/java/io/ballerina/scan/utils/ScanUtils.java | Enhanced utility methods to support SARIF format generation and output |
| scan-command/src/main/java/io/ballerina/scan/utils/Constants.java | Added SARIF-related constants for schema and tool metadata |
| scan-command/src/test/java/io/ballerina/scan/internal/ScanCmdTest.java | Comprehensive test coverage for format validation and output generation |
| scan-command-test-utils/src/main/java/io/ballerina/scan/test/TestOptions.java | Updated test utilities to support format testing |
| Documentation files | Updated help text and README with format option examples |
…g or creating entries
|
gayaldassanayake
approved these changes
Aug 6, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Fixes: #68
Approach
This PR adds support for the Static Analysis Results Interchange Format (SARIF) in addition to the existing
JSONoutput. The implementation preserves backward compatibility and introducesSARIFas an alternative reporting option for improved integration with external development tools.A new
convertIssuesToSarifStringmethod has been implemented to generateSARIF-compliant output by mapping internalIssueobjects to theSARIFschema, including sections such asruns,driver,rules, andresults. Severity levels defined byRuleKindare translated to theirSARIFequivalents using a helper method, and detailed source location data—including line and column positions—is included in the output.The
Gsonlibrary continues to be used for pretty-printing in bothJSONandSARIFformats. Output format selection is handled via a new--formatflag in the CLI, with input validation to restrict accepted values. Both console and file output workflows support the new format, withJSONremaining the default when no format is specified.Check List