## Summary Create a dedicated documentation page covering GitLab's SARIF 2.1.0 direct upload support, including ingestion behavior, limits, and compatibility details. This page should serve as the canonical reference for users integrating third-party SARIF-producing tools with GitLab's security scanning pipeline. ## Motivation SARIF direct upload is now a first-class artifact type in GitLab (see #452042). Users need clear documentation on what is supported, what the ingestion limits are, and what happens when reports are malformed or partially unprocessable. ## Content to cover ### Overview - What SARIF direct upload is and when to use it (vs. native GitLab scanners) - Supported SARIF version: 2.1.0 only - How to configure the CI artifact type (`sarif` artifact type in `.gitlab-ci.yml`) ### Ingestion behavior and thresholds - **50% ingestion failure threshold** (!234268): when more than 50% of results in a SARIF report are unprocessable (missing `physicalLocation`, missing `ruleId`, or nil UUID components), the scan fails with a `report_error` rather than silently partially ingesting - At or below 50% drop rate: partial ingestion proceeds with a warning surfaced in the scanner status / Security Profiles UX showing the exact drop count - Above 50% drop rate: scan fails loudly with an error and drop count — this is intentional to surface likely configuration errors | Drop rate | Result | Signal | |-----------|--------|--------| | 0% | All findings ingested | No message | | 1–50% | Partial ingestion | Warning with drop count | | >50% | Report fails (`report_error`) | Error with drop count | ### Limits - Maximum runs per SARIF report (multi-run support via !230154) - Plan limits (`plan_limits` migration from !227968) - Any file size or result count limits ### Field mapping and compatibility - How SARIF `result` fields map to GitLab vulnerability fields (severity, identifiers, location, details) - Findings without a stable `physicalLocation` are dropped — document this behavior and how to avoid it - Identifier stability requirements for deduplication - SARIF suppression model vs. GitLab `vulnerability_flags` - Severity level mapping from SARIF to GitLab severity scale ### Security policy integration - How SARIF findings interact with approval/scan result policies - Pipeline execution policy enforcement (`sarif` in `SUPPORTED_SCANNERS`) - Vulnerability Management Policy scanner enum support ### MR security diff widget - SARIF findings appear in the MR security diff widget (added in !230797) ### Known limitations / non-blocking follow-ups - Cross-report-type deduplication with SAST/secret-detection findings (#592410) is not yet supported ## References - Parent epic/issue: #452042 - Ingestion threshold MR: !234268 - Parser and ingestion: !227970 - Artifact type registration: !227968 - Multi-run support: !230154 - Ingestion health visibility: !230137 - Feature flag: !230156 - MR widget support: !230797