Skip to content

Emit SARIF report for GitHub Code Scanning #42

Description

@mdavistffhrtporg

Description

GitHub Code Scanning ingests findings in SARIF 2.1.0 and renders them inline on pull requests. Emitting SARIF alongside the existing attackmap-report.json would make AttackMap useful in a PR workflow with zero downstream integration cost.

The Finding model already has everything SARIF needs: titlemessage.text, severitylevel (error/warning/note), evidencelocations, mitigationhelp.text, tags/scoreproperties.

Tasks

  • Add attackmap-report.sarif to the report output alongside the existing JSON
  • Map:
    • severity: high → SARIF level: error
    • severity: medium → SARIF level: warning
    • severity: low → SARIF level: note
    • evidence[] entries containing file:linelocations[].physicalLocation
    • tags[]properties.tags
    • scoreproperties.rank (SARIF supports numeric rank 0-100 for prioritization)
    • confidenceproperties.securitySeverityScore (interpretation left to consumers)
  • attack_paths → SARIF codeFlows where possible (each step becomes a threadFlowLocation)
  • Include AttackMap version + analyzer versions in tool.driver.rules / tool.driver.version
  • Add a CLI flag or env var to opt in/out (default: emit both JSON + SARIF)
  • Test against the GitHub SARIF validator locally (gh api /repos/{owner}/{repo}/code-scanning/analyses accepts uploads)

Acceptance Criteria

  • attackmap analyze <repo> writes both attackmap-report.json and attackmap-report.sarif
  • The SARIF passes jsonschema validation against the SARIF 2.1.0 schema
  • Uploaded via github/codeql-action/upload-sarif@v3 to a test repo, findings appear on the Security → Code scanning tab
  • The 3 example apps produce SARIF that reflects their known finding counts + severities
  • Documented in the README with a copy-pastable .github/workflows/attackmap.yml snippet

Metadata

Metadata

Assignees

No one assigned

    Labels

    coreMigrated from GitLabenhancementMigrated from GitLabpriority-2Migrated from GitLab

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions