Add SARIF 2.1.0 output support#5126
Open
yogesh-garg-m wants to merge 5 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit a2c7904. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
This PR adds native support for outputting TruffleHog scan results in the SARIF (Static Analysis Results Interchange Format) 2.1.0 format. This addresses open community requests for SARIF support, allowing users to seamlessly integrate TruffleHog with CI/CD security dashboards (like GitHub Code Scanning) without needing external conversion tools.
Changes Proposed
--sarifflag: Users can now pass the--sarifflag to any scan command (e.g.,trufflehog filesystem . --sarif) to get purely SARIF-formatted JSON output.SARIFPrinter: Created a new printer inpkg/output/sarif.gothat collects findings thread-safely during the scan.https://json.schemastore.org/sarif-2.1.0.json). It dynamically builds therulesarray based on the matched detectors and sets thelevelproperty toerrorfor verified credentials andwarningfor unverified ones.sarif_test.goto validate SARIF output structure, deduplication logic, and deterministic rule sorting.Design & Performance Optimizations
Flushroutine to perform deduplication, metadata parsing, and object generation in a single iteration. We intentionally avoid duplicating the expensivestructToMap(JSON marshal/unmarshal) reflection call on source metadata, ensuring highly performant execution on massive repositories with thousands of findings.0to ensure they serialize to empty arrays ([]) rather thannullwhen a scan yields zero findings, making the output safer for strict SARIF parsers.sarifLog,sarifResult) have been kept unexported to prevent polluting the public API of theoutputpackage.How to Test
Build the binary:
go build -o trufflehog .Run a scan against any target using the new flag:
./trufflehog filesystem /path/to/repo --sarif > results.sarifValidate the
results.sarifoutput against the SARIF 2.1.0 schema or upload it to a SARIF-compatible platform (like GitHub Security).Note
Low Risk
Additive output path and CLI flag only; scan/detection logic unchanged aside from mandatory Flush for buffered SARIF output.
Overview
Adds
--sarifso scans can emit a single SARIF 2.1.0 JSON document for tools like GitHub Code Scanning, alongside existing JSON and GitHub Actions printers.SARIFPrinterbuffers findings during the run, thenFlushbuilds one SARIF log: per-detector rules, results with file/line from source metadata, levelerrorfor verified andwarningfor unverified, deduplication by decoder/detector/verification/file/line, and sorted rules.main.goselects this printer when the flag is set, skips the stderr banner for machine output, and flushes any printer that implementsFlushafter normal and compare-detection scans.Includes
sarif_test.gofor schema shape, dedupe, and rule ordering;.gitignoreaddstrufflehog.exe.Reviewed by Cursor Bugbot for commit 30da8a0. Bugbot is set up for automated code reviews on this repo. Configure here.