Description
The validator already outputs SARIF reports. Many complementary tools (gitleaks, trivy, semgrep, checkov, etc.) also produce SARIF output. Adding the ability to ingest external SARIF files and merge them into the validator's report would give teams a single unified report in CI — one set of PR annotations, one artifact to upload.
Proposed behavior
# Run validator, merge in results from other tools
validator --reporter=sarif --merge-sarif=gitleaks.sarif --merge-sarif=trivy.sarif .
# Or pipe multiple SARIF files
validator --reporter=sarif --merge-sarif-dir=./reports/ .
The merged SARIF output would contain:
- The validator's own results (syntax/schema validation) as one
run
- Each external SARIF file's results preserved as additional
runs
- Tool metadata preserved (tool name, version, rules) so it's clear which finding came from which tool
Why this is valuable
- Teams already run multiple tools in CI (validator + gitleaks + trivy + etc.)
- GitHub, GitLab, and Azure DevOps all accept SARIF uploads for code scanning alerts
- Currently each tool produces a separate SARIF file requiring separate uploads and separate annotation sets
- A merged report means one upload, one unified view of all config-related findings
- The validator becomes the aggregation point for config file quality — syntax, schema, and security — without reimplementing security scanning
Description
The validator already outputs SARIF reports. Many complementary tools (gitleaks, trivy, semgrep, checkov, etc.) also produce SARIF output. Adding the ability to ingest external SARIF files and merge them into the validator's report would give teams a single unified report in CI — one set of PR annotations, one artifact to upload.
Proposed behavior
The merged SARIF output would contain:
runrunsWhy this is valuable