SARIF 2.1.0 compatibility statement
SecNav Code emits findings in SARIF v2.1.0 (OASIS standard) on every scan run. This page enumerates the spec sections covered, the dialect chosen at each option point, and the dedup contract callers can rely on.
Schema target
Every emitted document carries
$schema = "https://json.schemastore.org/sarif-2.1.0.json" and
version = "2.1.0". Validates against
microsoft/sarif-sdk's reference
validator.
Field coverage
| Object | Field | Status | Notes |
|---|---|---|---|
run.tool.driver |
name, version, informationUri,
organization
|
YES | Tool identifies as "SecNav Code" / "South Lodge". |
run.tool.driver.rules[] |
id, name, shortDescription,
fullDescription, defaultConfiguration.level,
properties
|
YES |
Rule id = CWE id lowercased (e.g. cwe-79) or the first contributing agent
id when no CWE is mapped. De-duplicated across findings.
|
run.results[] |
ruleId, level, message, locations
|
YES | One result per finding. level mapping below. |
run.results[].locations[].physicalLocation |
artifactLocation.uri, region.startLine,
region.endLine
|
YES | region.endLine only when greater than startLine. |
run.results[].partialFingerprints |
primaryLocationLineHash |
YES | Set to the SecNav-Code-internal finding fingerprint so GitHub Code Scanning dedupes across re-runs. |
run.versionControlProvenance |
repositoryUri, revisionId, branch |
YES | Carries the exact commit + branch the scan ran against. |
run.originalUriBaseIds |
SRCROOT.uri |
YES | Repo URL with trailing slash. |
run.invocations[] |
— | PARTIAL |
Surfaced via run.properties.secnavFindingCount +
secnavSeverityBreakdown. Native invocations tracked as residual.
|
run.results[].codeFlows |
— | NO | Single-location findings only in v1. Multi-step taint flows tracked as residual. |
run.results[].fixes |
— | NO |
Fix proposals live in the SecNav Code fix_proposal table +
AiFixProposalDialog. SARIF fixes[] linkage tracked as residual.
|
Severity → level mapping
| SecNav severity | SARIF level | security-severity |
|---|---|---|
critical |
error |
9.5 |
high |
error |
7.5 |
medium |
warning |
5.0 |
low |
note |
3.0 |
info |
note |
3.0 |
Original five-tier severity preserved in result.properties.secnavSeverity.
Dedup contract
partialFingerprints.primaryLocationLineHash equals the SecNav-Code-internal
finding fingerprint (stable across re-runs). Consumers respecting partialFingerprints
(GitHub Code Scanning, Codacy, VSCode SARIF Viewer) dedupe alerts correctly across rebases
and force-pushes.
Custom properties
result.properties.secnavSeverity— pre-collapse five-tier severity.result.properties.secnavConfidence— per-agent calibration 0–1.-
result.properties.secnavFingerprint— same value aspartialFingerprints.primaryLocationLineHash. -
result.properties.contributingAgentIds— array of internal agent ids that contributed. -
run.properties.secnavCommitSha/secnavFindingCount/secnavSeverityBreakdown— per-run audit-trail.
Where SecNav Code uploads SARIF
Every webhook-triggered scan (push or pull request) uploads to GitHub Code Scanning via
POST /repos/{owner}/{repo}/code-scanning/sarifs. Findings render inline on PR
diffs and feed the repo's Security → Code scanning tab.