You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Certain other standards for vulnerability information interchange exist. For example CycloneDX added vulnerability data in v1.4. There are also VEX standards. Is there a particular reason to prefer SARIF over the others?
@Shnatsel Apologies for the delay. SARIF is the industry standard format for static analysis tool output. It's not specific to vulnerability information. cargo-audit is at its core a static analysis tool, checking source code for vulnerabilities, which is why SARIF fits as an export format to support.
Once cargo-audit supports SARIF, I would be happy to submit a PR to https://github.com/rustsec/audit-check to take the SARIF output and submit it to GitHub as part of a GitHub Action workflow run.
SARIF is an industry-standard format for the output of static analysis tools.
It would be great if
cargo-audit
could export finding in SARIF so that the results can be imported into existing tooling (such as GitHub).The text was updated successfully, but these errors were encountered: