Add Support for SARIF format in

[macko76]

💡 Summary

What is the work, as a high-level summary?

Enable reporting as SARIF format for structured and more standardised output and while format agnostic.

Motivation and context

While executing via automated pipelines, the SARIF format would enable post-processing into itemised recommendations which can be actionable by assigning their resolution to different individuals in an organisation.

Implementation notes

While mostly beneficial in automated processes, the SARIF format benefits already from existing tooling to view, analyse and transform. The implementation should foresee introduction of a new parameter next to CSV, HTML as SARIF and could process and transform the existing output to it.

Please provide details for implementation, such as:

Concrete example - in my organisation we built an Azure DevOps Pipeline to automate weekly execution of SCUBA and store output reports into Azure Repos. This enables tracking of progress, thought not very structured (given HTML output). Furthermore, we have enabled processing of SARIF formats into Azure Test plans by Creating either failed test cases or simply create Work Items of type Bugs for Assignees to deal with.

Acceptance criteria

By enabling the right format as Output report triggers the export as SARIF in accordance with selected products to be evaluated

How do we know when this work is done?

• Existence of a new parameter as Output format
• Export for each of supported products of a SARIF format report