SARIF's [`kind`](https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317647) is not currently handled. `kind` is how SARIF records findings for tests that were done or skipped or errored out as well as vulnerabilities (`kind`=`fail`, the default if `kind` is absent, indicates a vulnerability). The values for `kind` and what I think this project should do in each case are: * `pass` should not record the vulnerability * `open` should behave the same as `fail` * `informational` should not record the vulnerability * `notApplicable` should not record the vulnerability * `review` should behave the same as `fail` * `fail` (default is `kind` is no specified) should record the vulnerability (the current behavior) Note that `kind` and [`level`](https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317648) are related: > If kind (§3.27.9) has any value other than "fail", then if level is absent, it SHALL default to "none", and if it is present, it SHALL have the value "none". > > If kind has the value "fail" and level is absent, then level SHALL be determined by the following procedure: > ... Handling `kind` is important because some tools (such as [`openscap`](https://github.com/OpenSCAP/openscap/)) output SARIF that contains results that record that a test was done and passed or a test was skipped. Such results are not vulnerabilities and should not appear as such in GitLab's reporting UI.