Include Suppressed Results in SARIF Output #693
Description
Is your feature request related to a problem? Please describe.
In SARIF output generated by DevSkim, only active findings are included. Suppressed results (for example, findings ignored via .devskimignore) are entirely omitted. This limits traceability and makes it difficult to maintain a clear audit trail of which issues were reviewed and intentionally suppressed.
Several established static analysis tools, including Roslyn Analyzers and ESLint (with SARIF plugins), support inclusion of suppressed results in their SARIF output. This provides full visibility into both active and suppressed findings, which is important for security reviews and compliance requirements.
Describe the solution you'd like
Add an optional flag (e.g., --include-suppressed) or equivalent configuration that enables inclusion of suppressed results in the SARIF output. Suppressed results should be clearly marked according to the SARIF specification, using fields such as "baselineState": "suppressed" or "suppressions". The default behaviour should remain unchanged to avoid impacting existing users.
Describe alternatives you've considered
- Manually parsing
.devskimignoreand the source code to reconstruct suppressed results, but this is fragile, time-consuming, and prone to errors. - Maintaining separate manual suppression records, but that fragments reporting and reduces the usefulness of SARIF as a single, authoritative output format.
Additional context
In DevSecOps pipelines, SARIF is often used as a unified reporting format, aggregating results from multiple tools into centralized dashboards. Including suppressed results improves transparency, simplifies auditing, and aligns DevSkim's output with industry practices for SARIF-producing tools.