PoC: Add SARIF 2.1.0 direct upload support for security scanning

Lucas Charlesrequested to merge
452042-enable-sarif-support into master

What does this MR do and why?

STATUS: Productionizing this PoC is currently blocked on the decision of whether to support SARIF as a report type, see this thread.

Adds support for uploading SARIF 2.1.0 files directly as CI security report artifacts (artifacts:reports:sarif).

Vulnerabilities parsed from SARIF reports appear in the pipeline security tab and vulnerability report dashboard alongside findings from other scanner types.

References

Direct Upload Support for SARIF Reports (#452042)

How to set up and validate locally

  1. Create a project with some vuln. Example: 
    from flask import Flask, request

app = Flask(__name__)

@app.route("/sum")
def sum_numbers():
    numbers = request.args.get("numbers")
    numbers_list = eval(numbers)
    total = 0
    for num in numbers_list:
        total += num
    return f"Sum is {total}"
  2. Add a job to .gitlab-ci.yml that produces a SARIF file: 
    semgrep:
  image: returntocorp/semgrep
  script:
    - semgrep --sarif --output gl-sarif-report.sarif .
  artifacts:
    reports:
      sarif: gl-sarif-report.sarif
  3. Run the pipeline and visit the project's Security > Vulnerability Report
  4. Filter by SARIF report type to confirm findings are listed with file/line location

Screenshots

Examples running semgrep's raw SARIF scanner (top) alongside default SAST.gitlab-ci.yml (bottom).

NOTE: most data discrepancies are due to scanner differences rather than field mappings.

Vulnerability list

Screenshot_2026-03-03_at_07.10.11

Vulnerability details

Screenshot_2026-03-03_at_07.10.53

Edited by Lucas Charles

Merge request reports