Description
GitHub Code Scanning ingests findings in SARIF 2.1.0 and renders them inline on pull requests. Emitting SARIF alongside the existing attackmap-report.json would make AttackMap useful in a PR workflow with zero downstream integration cost.
The Finding model already has everything SARIF needs: title → message.text, severity → level (error/warning/note), evidence → locations, mitigation → help.text, tags/score → properties.
Tasks
- Add
attackmap-report.sarif to the report output alongside the existing JSON
- Map:
severity: high → SARIF level: error
severity: medium → SARIF level: warning
severity: low → SARIF level: note
evidence[] entries containing file:line → locations[].physicalLocation
tags[] → properties.tags
score → properties.rank (SARIF supports numeric rank 0-100 for prioritization)
confidence → properties.securitySeverityScore (interpretation left to consumers)
attack_paths → SARIF codeFlows where possible (each step becomes a threadFlowLocation)
- Include AttackMap version + analyzer versions in
tool.driver.rules / tool.driver.version
- Add a CLI flag or env var to opt in/out (default: emit both JSON + SARIF)
- Test against the GitHub SARIF validator locally (
gh api /repos/{owner}/{repo}/code-scanning/analyses accepts uploads)
Acceptance Criteria
attackmap analyze <repo> writes both attackmap-report.json and attackmap-report.sarif
- The SARIF passes
jsonschema validation against the SARIF 2.1.0 schema
- Uploaded via
github/codeql-action/upload-sarif@v3 to a test repo, findings appear on the Security → Code scanning tab
- The 3 example apps produce SARIF that reflects their known finding counts + severities
- Documented in the README with a copy-pastable
.github/workflows/attackmap.yml snippet
Description
GitHub Code Scanning ingests findings in SARIF 2.1.0 and renders them inline on pull requests. Emitting SARIF alongside the existing
attackmap-report.jsonwould make AttackMap useful in a PR workflow with zero downstream integration cost.The
Findingmodel already has everything SARIF needs:title→message.text,severity→level(error/warning/note),evidence→locations,mitigation→help.text,tags/score→properties.Tasks
attackmap-report.sarifto the report output alongside the existing JSONseverity: high→ SARIFlevel: errorseverity: medium→ SARIFlevel: warningseverity: low→ SARIFlevel: noteevidence[]entries containingfile:line→locations[].physicalLocationtags[]→properties.tagsscore→properties.rank(SARIF supports numeric rank 0-100 for prioritization)confidence→properties.securitySeverityScore(interpretation left to consumers)attack_paths→ SARIFcodeFlowswhere possible (each step becomes athreadFlowLocation)tool.driver.rules/tool.driver.versiongh api /repos/{owner}/{repo}/code-scanning/analysesaccepts uploads)Acceptance Criteria
attackmap analyze <repo>writes bothattackmap-report.jsonandattackmap-report.sarifjsonschemavalidation against the SARIF 2.1.0 schemagithub/codeql-action/upload-sarif@v3to a test repo, findings appear on the Security → Code scanning tab.github/workflows/attackmap.ymlsnippet