SARIF & Reporting¶

SARIF 2.1.0 Output¶

All findings are converted to SARIF 2.1.0 for integration with GitHub Security, Azure DevOps, and other tools.

Field Mapping¶

BeDefended Field	SARIF Field	Notes
`vuln_type`	`run.tool.driver.rules[].id`	Rule identifier
`title`	`rule.shortDescription.text`	Short description
`description`	`rule.fullDescription.text`	Full description
`severity` Critical/High	`result.level = "error"`	Maps to SARIF error level
`severity` Medium	`result.level = "warning"`	Maps to warning
`severity` Low/Info	`result.level = "note"`	Maps to note
`location.file`	`result.locations[].physicalLocation.artifactLocation.uri`	File path
`location.line_start`	`result.locations[].physicalLocation.region.startLine`	Line number
`taint_flow`	`result.codeFlows[].threadFlows[].locations[]`	Data flow chain
`cwe`	`rule.properties.tags: ["external/cwe/cwe-89"]`	CWE reference
`cvss40_score`	`rule.properties.security-severity`	Numeric severity
`suggested_fix`	`result.fixes[].description`	Suggested fix
`confidence`	`result.properties.confidence`	confirmed/likely/possible
`cross_validated`	`result.properties.crossValidated`	Dual-engine verified

GitHub Security Tab¶

When sarif-upload: true, SARIF is uploaded via github/codeql-action/upload-sarif@v3. Findings appear in:

Security tab -> Code scanning alerts
Per-alert detail view with location, severity, CWE
Alert dismissal and tracking across PRs

Example SARIF Output¶

{
  "version": "2.1.0",
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json",
  "runs": [{
    "tool": {
      "driver": {
        "name": "BeDefended",
        "version": "1.0.0",
        "rules": [{
          "id": "sql-injection",
          "shortDescription": {"text": "SQL Injection in search endpoint"},
          "properties": {
            "tags": ["external/cwe/cwe-89", "external/owasp/A03:2021"],
            "security-severity": "9.8"
          }
        }]
      }
    },
    "results": [{
      "ruleId": "sql-injection",
      "level": "error",
      "message": {"text": "User input interpolated into SQL query via f-string"},
      "locations": [{
        "physicalLocation": {
          "artifactLocation": {"uri": "app/views/search.py"},
          "region": {"startLine": 42}
        }
      }],
      "codeFlows": [{
        "threadFlows": [{
          "locations": [
            {"location": {"physicalLocation": {"artifactLocation": {"uri": "app/views/search.py"}, "region": {"startLine": 38}}, "message": {"text": "source"}}},
            {"location": {"physicalLocation": {"artifactLocation": {"uri": "app/views/search.py"}, "region": {"startLine": 42}}, "message": {"text": "sink"}}}
          ]
        }]
      }],
      "fixes": [{"description": {"text": "cursor.execute('SELECT * FROM users WHERE id = %s', (uid,))"}}]
    }]
  }]
}

GitLab Code Quality¶

For GitLab, findings are converted to the Code Quality report format:

bd-review sarif -i review-results.json -o gl-code-quality-report.json --format gitlab

Each finding becomes an issue object:

{
  "type": "issue",
  "check_name": "sql-injection",
  "description": "SQL Injection in search endpoint",
  "categories": ["Security"],
  "severity": "major",
  "fingerprint": "a1b2c3d4e5f6...",
  "location": {
    "path": "app/views/search.py",
    "lines": {"begin": 42, "end": 42}
  }
}

Severity mapping:

BeDefended	GitLab Code Quality
Critical	`critical`
High	`major`
Medium	`minor`
Low / Info	`info`

PR Inline Comments¶

The bd-review comment command posts findings directly on the PR/MR.

Comment Format¶

Each finding becomes an inline comment at the exact line:

### SQL Injection (HIGH -- CVSS 9.8)

**CWE-89** | Confidence: confirmed | AI + SAST

<details>
<summary>Taint Flow</summary>

`app/views.py:38` (source): `q = request.GET['q']`

`app/views.py:42` (sink): `cursor.execute(f'...')`

</details>

**Fix:**

cursor.execute('SELECT * FROM users WHERE id = %s', (uid,))

Summary Comment¶

A summary comment is posted on the PR with severity counts and quality gate result:

## BeDefended Code Review Summary

| Severity | Count |
|----------|-------|
| Critical | 1     |
| High     | 3     |
| Medium   | 7     |
| Low      | 2     |

**Quality Gate: FAILED**
**Files reviewed**: 23
**AI confidence**: 94% average

[Full report on BeDefended Dashboard](https://app.bedefended.com/reviews/xxx)

Provider-Specific Integration¶

Provider	Comment API	Summary	Inline	Quality Gate
GitHub	Pull Request Review API	Summary body	Up to 50 per review	REQUEST_CHANGES on fail
GitLab	MR Notes + Discussions	MR note	Position-based discussions	-
Azure DevOps	PR Threads API	Thread comment	File/line threads	Thread status = active