Explore support for direct upload of SARIF reports
Proposal
As discussed within #118496 (comment 1676276763) we should consider supporting uploads of SARIF reports directly within GitLab.
We currently convert SARIF internally from several analyzers but should consider supporting the report format as a direct report artifact upload; i.e.
reports:
artifacts:
sarif: sarif.json
I'm not sure if we have a good proposal issue for the latter yet.
We need a spike to determine if the report format works well for us. There are some special aspects of our reports that may not necessarily map well enough to allow SARIF uploads directly (examples like our generic details
field, our reliance on stable, ordered identifiers, differences in behavior between sarif's treatment of suppressions vs out vulnerability_flags
, and overly simplified severity levels.
That said, I'm optimistic we could allow SARIF uploads directly once we iron out the caveats. And it would be a lovely pairing with direct CycloneDX SBOMs to move towards more global standards and less customization