open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(scanner): add SARIF 2.1.0 output format to scan-orchestrator (--format sarif)

Browse source 
New sarif-formatter.mjs converts scan envelope to OASIS SARIF 2.1.0 standard.
Maps severity to SARIF levels, findings to results with locations and rules.
scan-orchestrator accepts --format sarif|json (default: json).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-10 13:22:59 +02:00
commit 2116e702df
3 changed files with 305 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
plugins/llm-security/scanners/scan-orchestrator.mjs
View file

@ -11,6 +11,7 @@ import { tmpdir } from 'node:os';
import { discoverFiles } from './lib/file-discovery.mjs';
import { envelope, resetCounter } from './lib/output.mjs';
import { saveBaseline, diffAgainstBaseline, extractFindings } from './lib/diff-engine.mjs';
import { toSARIF } from './lib/sarif-formatter.mjs';
// ---------------------------------------------------------------------------
// .llm-security-ignore support
@ -122,12 +123,14 @@ const SCANNERS = [
// CLI arg parsing — supports --log-file <path>
// ---------------------------------------------------------------------------
function parseArgs(argv) {
const args = { target: null, logFile: null, outputFile: null, baseline: false, saveBaseline: false };
const args = { target: null, logFile: null, outputFile: null, baseline: false, saveBaseline: false, format: 'json' };
for (let i = 2; i < argv.length; i++) {
if (argv[i] === '--log-file' && argv[i + 1]) {
args.logFile = argv[++i];
} else if (argv[i] === '--output-file' && argv[i + 1]) {
args.outputFile = argv[++i];
} else if (argv[i] === '--format' && argv[i + 1]) {
args.format = argv[++i];
} else if (argv[i] === '--baseline') {
args.baseline = true;
} else if (argv[i] === '--save-baseline') {
@ -245,8 +248,9 @@ async function main() {
log(`[deep-scan] Baseline saved: ${savedPath}\n`);
}
// Output JSON: to file (--output-file) or stdout
const jsonStr = JSON.stringify(output, null, 2) + '\n';
// Output: SARIF or JSON, to file (--output-file) or stdout
const finalOutput = args.format === 'sarif' ? toSARIF(output) : output;
const jsonStr = JSON.stringify(finalOutput, null, 2) + '\n';
if (args.outputFile) {
writeFileSync(args.outputFile, jsonStr);
output.output_file = args.outputFile;