Feature Request
Add SARIF (Static Analysis Results Interchange Format) as an output format. SARIF is the industry-standard format for security tool results and is natively supported by:
- GitHub Advanced Security (shows results inline in PRs and the Security tab)
- GitHub Code Scanning (free for public repos)
- Azure DevOps security dashboards
- VS Code SARIF Viewer extension
- Any OWASP-compatible SIEM
Why This Matters for an OWASP Project
DockSec is an OWASP Incubator project. SARIF support enables seamless integration into the security toolchains that security teams already use. Without it, users must manually parse JSON output to feed results into their pipelines.
Proposed Usage
# Generate SARIF output
docksec Dockerfile -i myapp:latest --format sarif -o results/docksec.sarif
# Use in GitHub Actions
- name: Run DockSec
run: docksec Dockerfile -i myapp:latest --format sarif -o docksec.sarif
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: docksec.sarifSARIF Structure to Implement
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [{
"tool": {
"driver": {
"name": "DockSec",
"version": "2026.2.23",
"informationUri": "https://github.com/advaitpatel/DockSec",
"rules": []
}
},
"results": [
{
"ruleId": "CVE-2023-1234",
"level": "error",
"message": { "text": "Critical vulnerability in openssl 1.0.0" },
"locations": [{
"physicalLocation": {
"artifactLocation": { "uri": "Dockerfile" },
"region": { "startLine": 1 }
}
}]
}
]
}]
}Severity Mapping
| DockSec Severity |
SARIF Level |
| CRITICAL |
error |
| HIGH |
error |
| MEDIUM |
warning |
| LOW |
note |
| UNKNOWN |
none |
Implementation Plan
- Add `generate_sarif()` method to `report_generator.py`
- Add `--format sarif` option to `docksec.py` CLI argument parser
- Map Trivy JSON output → SARIF result objects
- Map Hadolint findings → SARIF result objects (with Dockerfile line numbers)
- Add to `generate_all_reports()` flow
- Add tests for SARIF structure validation
- Add GitHub Actions workflow example in `examples/`
Acceptance Criteria
References
Feature Request
Add SARIF (Static Analysis Results Interchange Format) as an output format. SARIF is the industry-standard format for security tool results and is natively supported by:
Why This Matters for an OWASP Project
DockSec is an OWASP Incubator project. SARIF support enables seamless integration into the security toolchains that security teams already use. Without it, users must manually parse JSON output to feed results into their pipelines.
Proposed Usage
SARIF Structure to Implement
{ "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{ "tool": { "driver": { "name": "DockSec", "version": "2026.2.23", "informationUri": "https://github.com/advaitpatel/DockSec", "rules": [] } }, "results": [ { "ruleId": "CVE-2023-1234", "level": "error", "message": { "text": "Critical vulnerability in openssl 1.0.0" }, "locations": [{ "physicalLocation": { "artifactLocation": { "uri": "Dockerfile" }, "region": { "startLine": 1 } } }] } ] }] }Severity Mapping
Implementation Plan
Acceptance Criteria
References