SARIF 2.1.0 Findings Export

The framework has several findings producers — action-lint, the secrets scan, the WCAG/a11y audit, the guardrail — but no common export, so results couldn’t land in GitHub / Azure DevOps code scanning (the durable, deduplicated, line-anchored alert store). SARIF 2.1.0 (OASIS) is that interchange format.

to_sarif builds a SARIF document from a list of normalized findings ({rule_id, level, message, file?, line?}), with adapters for the existing lint / audit shapes and stable partialFingerprints so the same issue deduplicates across runs. Pure standard library (json + hashlib); imports no PySide6.

Headless API

from je_auto_control import (
    make_finding, to_sarif, write_sarif, from_lint_issues,
    from_audit_findings)

findings = [
    make_finding("AC_SHELL", "shell command not allow-listed",
                 level="error", file="flow.json", line=12),
    *from_lint_issues(lint_issues, file="flow.json"),
    *from_audit_findings(wcag_report["findings"]),
]
write_sarif(findings, "results.sarif", tool_name="AutoControl")
# upload results.sarif via the GitHub "upload-sarif" action

make_finding builds one normalized finding; from_lint_issues (maps index/severity/code/message) and from_audit_findings (maps sc/criterion/kind/severity) adapt the existing producers; to_sarif auto-derives the rule catalog and attaches a stable fingerprint per result; write_sarif serializes to a file. Severity strings map to SARIF error / warning / note.

Executor command

AC_export_sarif takes findings (a list, or JSON string) plus optional path and tool_name and returns {sarif, path?}. The same operation is exposed as the MCP tool ac_export_sarif and as a Script Builder command under Report.