Add SARIF reporting support

[seonghobae]

Summary

• Add SARIF 2.1.0 report generation for Strix vulnerability findings with GitHub code scanning-compatible locations and rules.
• Add --sarif / --sarif-output CLI flags and write SARIF before non-interactive exit code 2 so CI uploads can run with if: always().
• Document a GitHub Actions upload flow and cover unsafe/locationless finding handling with regression tests.

Validation

• uv run pytest -q → 118 passed, 4 warnings
• uv run mypy strix/telemetry/sarif.py strix/interface/main.py → success
• uv run pyright strix/telemetry/sarif.py → 0 errors
• uv run ruff check strix/telemetry/sarif.py strix/interface/main.py tests/telemetry/test_sarif.py tests/interface/test_sarif_cli.py → all checks passed

Notes

• Internal review PR for automation on this fork. Upstream PR: Add SARIF reporting support usestrix/strix#477

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 133e0ea3-24de-4fb9-b111-b6fd2497a05c

📥 Commits

Reviewing files that changed from the base of the PR and between 35c02b1 and f05d71c.

📒 Files selected for processing (4)

• strix/interface/main.py
• strix/telemetry/sarif.py
• tests/interface/test_sarif_cli.py
• tests/telemetry/test_sarif.py

---

📝 Walkthrough

Summary by CodeRabbit

• 새로운 기능

  • SARIF 형식 취약점 보고서 생성 및 파일 출력 옵션을 CLI에 추가
  • 실행 결과를 SARIF로 내보내 GitHub 코드 스캐닝에 업로드 가능

• 문서

  • CI 워크플로우에 SARIF 통합 가이드 및 사용 팁(출력 옵션, 업로드 절차) 추가

• 테스트

  • SARIF 생성 및 CLI 플래그 동작을 검증하는 단위/통합 테스트 추가

Walkthrough

Strix에 SARIF 2.1.0 보고 기능을 추가합니다. 취약점 데이터를 SARIF로 변환·작성하는 telemetry 모듈과 CLI 옵션(--sarif, --sarif-output)이 추가되고, README의 GitHub Actions 워크플로우에 SARIF 출력 및 CodeQL 업로드 단계가 포함됩니다.

Changes

SARIF 지원 추가

Layer / File(s)	Summary
데이터 정의 strix/telemetry/sarif.py	SARIF 관련 상수(SARIF_SCHEMA, SARIF_VERSION, TOOL_NAME, TOOL_INFORMATION_URI)와 모듈 스켈레톤을 추가합니다.
핵심 변환 로직 strix/telemetry/sarif.py	build_sarif_report 구현: 취약점 보고서를 SARIF runs/rules/results로 변환하고, 위치 검증(unsafe 경로 제거), 심각도 매핑, locationless/dropped-location 요약을 생성합니다.
출력 작성기 strix/telemetry/sarif.py	write_sarif_report 구현: 부모 디렉터리 생성 후 pretty JSON(SARIF) 파일로 기록합니다.
CLI 옵션 및 통합 strix/interface/main.py	argument parser에 --sarif 및 --sarif-output 옵션을 추가하고, write_requested_sarif_output(args, results_path) 공개 함수를 추가하여 실행 후 SARIF 생성/작성 로직을 호출하도록 메인 흐름에 통합합니다.
문서 / 워크플로우 README.md	GitHub Actions 권한 블록 추가, Strix 실행에 --sarif-output results.sarif 추가, SARIF 업로드 단계(github/codeql-action/upload-sarif@v4) 및 사용 팁을 문서에 추가합니다.
테스트 tests/telemetry/test_sarif.py, tests/interface/test_sarif_cli.py	SARIF 빌더와 라이터의 매핑 규칙(위치, 심각도, 메타데이터), 안전하지 않은 위치 드롭/요약, 위치 없음 처리, CLI 플래그 파싱 및 파일 작성 동작을 검증하는 단위 테스트를 추가합니다.

Sequence Diagram

sequenceDiagram
    actor User
    participant CLI as strix CLI
    participant Tracer as Tracer
    participant SARIF as SARIF Module
    participant FS as File System

    User->>CLI: 실행 (--sarif / --sarif-output)
    CLI->>CLI: 인자 파싱
    CLI->>Tracer: 취약점 수집 요청
    Tracer-->>CLI: 취약점 보고서 반환
    CLI->>SARIF: build_sarif_report(reports)
    SARIF->>SARIF: 규칙/결과 생성, 위치 검증 및 드롭
    SARIF-->>CLI: SARIF 문서(딕셔너리)
    CLI->>SARIF: write_sarif_report(path, reports)
    SARIF->>FS: 부모 디렉터리 생성
    SARIF->>FS: SARIF JSON 파일 작성
    FS-->>SARIF: 작성 성공
    SARIF-->>CLI: 완료
    CLI-->>User: 완료 메시지 표시

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 깡총, SARIF 깃발 높이 들고
코드와 보고서를 살며시 엮네
CLI 한 줄로 결과를 모아
JSON로 쓴 뒤 리포지토리에 전하고
보안의 발자국을 따라 춤춘다 ✨

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Docstring Coverage	❌ Error	Docstring coverage is 0.00% which is insufficient. The required threshold is 100.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목이 주요 변경사항을 명확하게 요약합니다. 변경사항은 SARIF 보고 지원을 추가하는 것이고, 제목 'Add SARIF reporting support'는 이를 정확하게 반영합니다.
Description check	✅ Passed	설명이 변경사항과 관련이 있습니다. SARIF 2.1.0 보고서 생성, CLI 플래그, 테스트 커버리지 등 실제 변경사항을 다룹니다.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/sarif-support

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

• Adds a strix/telemetry/sarif.py module that builds SARIF 2.1.0 documents from Strix vulnerability reports, with safe URI validation, severity mapping, and separate tracking of locationless and partially-dropped findings.
• Introduces --sarif / --sarif-output CLI flags; SARIF is written before the non-interactive exit-code 2 path so CI if: always() uploads work correctly. OSError on write is caught and reported without crashing.
• README gains the required permissions block, the updated run step, and an upload-SARIF job demonstrating the intended GitHub Actions workflow.

Confidence Score: 5/5

Safe to merge; only P2 findings present.

All findings are P2 (partial SARIF on interrupt and a misleading help string). Core logic — URI sanitisation, location validation, rule deduplication, and OSError handling — is correct and well-tested.

strix/interface/main.py — KeyboardInterrupt flow and --sarif-output help text.

Important Files Changed

Filename	Overview
strix/telemetry/sarif.py	New SARIF 2.1.0 builder; location validation and URI sanitisation logic is solid; _build_locations correctly avoids double-counting findings with all-invalid locations via continue.
strix/interface/main.py	Adds --sarif/--sarif-output CLI flags and write_requested_sarif_output; OSError is caught gracefully, but SARIF is also written on KeyboardInterrupt (partial scan data), and --sarif-output help text misrepresents the flag's standalone behaviour.
tests/telemetry/test_sarif.py	Comprehensive unit tests covering severity mapping, locationless findings, all-invalid location handling, partial drop tracking, and directory creation; no issues found.
tests/interface/test_sarif_cli.py	CLI integration tests for flag parsing, successful write path, and OSError error-reporting; coverage is adequate.
README.md	Adds permissions block, --sarif-output flag to the example workflow step, and an upload-SARIF step with if: always(); documentation is accurate.

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI as strix CLI (main.py)
    participant Scan as run_cli / run_tui
    participant Tracer as GlobalTracer
    participant SARIF as sarif.py
    participant FS as Filesystem
    participant GH as GitHub Code Scanning

    User->>CLI: strix --sarif-output results.sarif
    CLI->>Scan: asyncio.run(run_cli/run_tui)
    Scan->>Tracer: record vulnerability_reports
    Scan-->>CLI: complete (or KeyboardInterrupt)
    CLI->>Tracer: get_global_tracer()
    Tracer-->>CLI: vulnerability_reports
    CLI->>SARIF: write_sarif_report(output_path, reports)
    SARIF->>SARIF: build_sarif_report()
    Note over SARIF: validate URIs, map severity,<br/>separate locationless findings
    SARIF->>FS: output_path.open(w) json.dump
    FS-->>CLI: OK (or OSError warning printed)
    CLI->>User: display_completion_message()
    CLI->>CLI: sys.exit(2) if findings and non-interactive
    User->>GH: upload-sarif action (if: always())

Loading

_{Reviews (2): Last reviewed commit: "Fix SARIF review edge cases" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@strix/telemetry/sarif.py`:
- Around line 165-168: 현재 로직이 end_line이 없으면 전체 위치를 드롭하고 있어 SARIF 2.1.0 규격(선택적
region.endLine)을 위반합니다; 수정방법은 strix/telemetry/sarif.py에서 region, start_line,
end_line, dropped_location_count를 찾아 기존 if 블록을 바꿔서 end_line이 정수이고 end_line >=
start_line인 경우에만 region["endLine"] = end_line을 설정하고 계속 처리하며, end_line이 없거나 유효하지
않으면 region에서 endLine을 아예 설정하지 않고 continue(드롭)하지 않도록 하며 필요시
dropped_location_count는 오직 완전히 무효한 위치(예: start_line 자체가 유효하지 않은 경우)에서만 증가시키도록
조정하세요.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7b1929e-d74b-4935-9ab9-253ab4685e02

📥 Commits

Reviewing files that changed from the base of the PR and between 6b9bd4d and 35c02b1.

📒 Files selected for processing (5)

• README.md
• strix/interface/main.py
• strix/telemetry/sarif.py
• tests/interface/test_sarif_cli.py
• tests/telemetry/test_sarif.py