feat(lint): add sarif output for catalog checks

Co-Authored-By: Virgil <virgil@lethean.io>
2026-04-01 11:59:46 +00:00 · 2026-04-01 11:59:46 +00:00 · c7d6db8ee2
commit c7d6db8ee2
parent 19f098cf43
2 changed files with 35 additions and 1 deletions
--- a/cmd/core-lint/main.go
+++ b/cmd/core-lint/main.go
@ -306,6 +306,12 @@ func newCheckCommand() *cli.Command {
 			return lintpkg.WriteJSON(command.OutOrStdout(), findings)
 		case "jsonl":
 			return lintpkg.WriteJSONL(command.OutOrStdout(), findings)
+		case "sarif":
+			report := lintpkg.Report{
+				Findings: findings,
+				Summary:  lintpkg.Summarise(findings),
+			}
+			return lintpkg.WriteReportSARIF(command.OutOrStdout(), report)
 		default:
 			lintpkg.WriteText(command.OutOrStdout(), findings)
 			if format == "text" && len(findings) > 0 {
@ -315,7 +321,7 @@ func newCheckCommand() *cli.Command {
 		}
 	})

-	cli.StringFlag(command, &format, "format", "f", "text", "Output format: text, json, jsonl")
+	cli.StringFlag(command, &format, "format", "f", "text", "Output format: text, json, jsonl, sarif")
 	cli.StringFlag(command, &language, "lang", "l", "", "Filter rules by language")
 	cli.StringFlag(command, &severity, "severity", "s", "", "Minimum severity threshold (info, low, medium, high, critical)")

--- a/cmd/core-lint/main_test.go
+++ b/cmd/core-lint/main_test.go
@ -167,6 +167,34 @@ func TestCLI_Tools_TextIncludesMetadata(t *testing.T) {
 	assert.Contains(t, text, "entitlement=lint.security")
 }

+func TestCLI_LintCheck_SARIF(t *testing.T) {
+	buildCLI(t)
+
+	repoRoot := repoRoot(t)
+	stdout, stderr, exitCode := runCLI(t, repoRoot, "lint", "check", "--format", "sarif", "tests/cli/lint/check/fixtures")
+	assert.Equal(t, 0, exitCode, stderr)
+
+	var sarif struct {
+		Version string `json:"version"`
+		Runs    []struct {
+			Tool struct {
+				Driver struct {
+					Name string `json:"name"`
+				} `json:"driver"`
+			} `json:"tool"`
+			Results []struct {
+				RuleID string `json:"ruleId"`
+			} `json:"results"`
+		} `json:"runs"`
+	}
+	require.NoError(t, json.Unmarshal([]byte(stdout), &sarif))
+	require.Equal(t, "2.1.0", sarif.Version)
+	require.Len(t, sarif.Runs, 1)
+	assert.Equal(t, "core-lint", sarif.Runs[0].Tool.Driver.Name)
+	require.Len(t, sarif.Runs[0].Results, 1)
+	assert.Equal(t, "go-cor-003", sarif.Runs[0].Results[0].RuleID)
+}
+
 func TestCLI_HookInstallRemove(t *testing.T) {
 	if _, err := exec.LookPath("git"); err != nil {
 		t.Skip("git not available")