Problem
gowdk audit has human and JSON output, but it is not yet a complete CI-native reporting surface for code scanning, stable tracking, or introduced-finding gates.
Verified in this checkout:
gowdk audit usage supports --json, --emit-tests, and --run.- The JSON report includes
version, status, summary, findings, and manifest.
- There is no versioned JSON Schema file, SARIF output mode, stable finding fingerprint field, documented detailed exit-code contract, or
--diff <previous-report>.
Acceptance criteria
- Publish a versioned JSON Schema for
gowdk audit --json and gowdk-security.json.
- Add SARIF output suitable for GitHub code scanning upload.
- Add stable finding fingerprints independent of line movement where possible.
- Document exit codes for clean, warning-only, error findings, invalid source/policy, runtime test failure, and internal/tool failure.
- Add
gowdk audit --diff <previous-report> or equivalent to report newly introduced findings.
- Add tests/goldens for JSON schema compatibility, SARIF shape, fingerprint stability, and diff behavior.
- Document a GitHub Actions example that uploads SARIF and gates newly introduced error findings.
Problem
gowdk audithas human and JSON output, but it is not yet a complete CI-native reporting surface for code scanning, stable tracking, or introduced-finding gates.Verified in this checkout:
gowdk auditusage supports--json,--emit-tests, and--run.version,status,summary,findings, andmanifest.--diff <previous-report>.Acceptance criteria
gowdk audit --jsonandgowdk-security.json.gowdk audit --diff <previous-report>or equivalent to report newly introduced findings.