feat: SARIF output format for CI/CD and GitHub Code Scanning

[Alberto-Codes]

Summary

Add SARIF (Static Analysis Results Interchange Format) output support to docvet for integration with GitHub Code Scanning, SonarQube, and future AI-native triage workflows.

Motivation

SARIF is the OASIS standard for static analysis output (v2.1.0). GitHub Code Scanning natively ingests SARIF. Adding SARIF output means:

• GitHub Advanced Security can display docvet findings in the Security tab and PR annotations
• SonarQube can import SARIF results
• AI-native SARIF (emerging concept) embeds prompts and fix guidance in findings for AI agent triage
• Complements --format json (feat: add --format json structured output for agent consumption #151) — JSON is for agent consumption, SARIF is for CI/CD platform integration

Proposed usage

docvet check --format sarif > docvet-results.sarif

GitHub Actions integration

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: docvet-results.sarif

Priority

Lower priority than --format json (#151). SARIF matters once docvet is in CI pipelines. No AI coding agent natively parses SARIF today, but GitHub Code Scanning ingestion makes this valuable for the CI feedback loop.

References

• SARIF Standard (OASIS)
• AI-Native SARIF (Parsiya)
• GitHub Code Scanning SARIF upload

Related

• feat: add --format json structured output for agent consumption #151 (--format json — build first, SARIF second)
• feat: GitHub Action for PR inline docstring comments #157 (GitHub Action — could use SARIF for annotations instead of custom annotation logic)