Skip to content

Add SARIF 2.1.0 output support#5126

Open
yogesh-garg-m wants to merge 5 commits into
trufflesecurity:mainfrom
yogesh-garg-m:sarif-output
Open

Add SARIF 2.1.0 output support#5126
yogesh-garg-m wants to merge 5 commits into
trufflesecurity:mainfrom
yogesh-garg-m:sarif-output

Conversation

@yogesh-garg-m

@yogesh-garg-m yogesh-garg-m commented Jul 14, 2026

Copy link
Copy Markdown

Summary

This PR adds native support for outputting TruffleHog scan results in the SARIF (Static Analysis Results Interchange Format) 2.1.0 format. This addresses open community requests for SARIF support, allowing users to seamlessly integrate TruffleHog with CI/CD security dashboards (like GitHub Code Scanning) without needing external conversion tools.

Changes Proposed

  • Added --sarif flag: Users can now pass the --sarif flag to any scan command (e.g., trufflehog filesystem . --sarif) to get purely SARIF-formatted JSON output.
  • Implemented SARIFPrinter: Created a new printer in pkg/output/sarif.go that collects findings thread-safely during the scan.
  • SARIF Schema Mapping: Maps TruffleHog findings to strict SARIF 2.1.0 definitions (https://json.schemastore.org/sarif-2.1.0.json). It dynamically builds the rules array based on the matched detectors and sets the level property to error for verified credentials and warning for unverified ones.
  • Unit Tests: Added comprehensive tests in sarif_test.go to validate SARIF output structure, deduplication logic, and deterministic rule sorting.

Design & Performance Optimizations

  • Single-Pass O(N) Deduplication & Extraction: Optimized the Flush routine to perform deduplication, metadata parsing, and object generation in a single iteration. We intentionally avoid duplicating the expensive structToMap (JSON marshal/unmarshal) reflection call on source metadata, ensuring highly performant execution on massive repositories with thousands of findings.
  • Strict JSON Serialization: Initialized all Go slice arrays to length 0 to ensure they serialize to empty arrays ([]) rather than null when a scan yields zero findings, making the output safer for strict SARIF parsers.
  • Clean API: All underlying Go mapping structs for the SARIF schema (e.g., sarifLog, sarifResult) have been kept unexported to prevent polluting the public API of the output package.

How to Test

  1. Build the binary:

    go build -o trufflehog .
  2. Run a scan against any target using the new flag:

    ./trufflehog filesystem /path/to/repo --sarif > results.sarif
  3. Validate the results.sarif output against the SARIF 2.1.0 schema or upload it to a SARIF-compatible platform (like GitHub Security).


Note

Low Risk
Additive output path and CLI flag only; scan/detection logic unchanged aside from mandatory Flush for buffered SARIF output.

Overview
Adds --sarif so scans can emit a single SARIF 2.1.0 JSON document for tools like GitHub Code Scanning, alongside existing JSON and GitHub Actions printers.

SARIFPrinter buffers findings during the run, then Flush builds one SARIF log: per-detector rules, results with file/line from source metadata, level error for verified and warning for unverified, deduplication by decoder/detector/verification/file/line, and sorted rules. main.go selects this printer when the flag is set, skips the stderr banner for machine output, and flushes any printer that implements Flush after normal and compare-detection scans.

Includes sarif_test.go for schema shape, dedupe, and rule ordering; .gitignore adds trufflehog.exe.

Reviewed by Cursor Bugbot for commit 30da8a0. Bugbot is set up for automated code reviews on this repo. Configure here.

@yogesh-garg-m
yogesh-garg-m requested a review from a team July 14, 2026 05:58
@yogesh-garg-m
yogesh-garg-m requested a review from a team as a code owner July 14, 2026 05:58
@CLAassistant

CLAassistant commented Jul 14, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit a2c7904. Configure here.

Comment thread pkg/output/sarif.go Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants