Skip to content

SARIF 2.1 codeFlows for taint tracking — enhanced GitHub Advanced Security integration #128

Open
Open
SARIF 2.1 codeFlows for taint tracking — enhanced GitHub Advanced Security integration#128
Labels
developer-experienceIDE extensions, CI/CD, GitHub App, SDKplatformGuard0 platform, API, integrations, fleet management
@JBAhire

Description

@JBAhire
JBAhire
opened on Mar 26, 2026

Summary

Enhance g0's SARIF output to include codeFlows for taint tracking findings and relatedLocations for cross-file findings, enabling richer display in GitHub Advanced Security and VS Code SARIF viewers.

Motivation

g0 generates SARIF 2.1.0 output for GitHub Code Scanning integration, but currently only includes basic results with locations. The SARIF spec supports:

  • codeFlows — ordered sequences of locations showing how data flows from source to sink (taint tracking)
  • relatedLocations — additional locations relevant to a finding (cross-file correlations)
  • graphs — node/edge representations of agent topology

g0 already performs pipeline taint tracking, cross-file exfiltration analysis, and agent graph construction internally. This data should be surfaced in SARIF output.

Proposed Implementation

1. codeFlows for Taint Findings

  • Pipeline taint findings (source → obfuscation → sink) include flow steps in SARIF codeFlows
  • Cross-file exfiltration findings include the full trace path
  • Each threadFlow step includes: location, message, importance level

2. relatedLocations for Cross-File Findings

  • Cross-tool correlation findings reference all involved tool definitions
  • Cross-file exfiltration findings reference source and sink files
  • Agent graph findings reference related agent/tool definitions

3. Graph Representation

  • Agent topology as SARIF graphs (nodes = agents/tools, edges = calls/data flows)
  • Toxic flow paths as graph edges with risk annotations

4. Fix Information

  • Include fixes array with suggested code changes where possible
  • Reference remediation cookbook entries

Files to Modify

  • src/reporters/sarif.ts — add codeFlows, relatedLocations, graphs, fixes
  • Update SARIF tests in tests/unit/sarif.test.ts

Acceptance Criteria

  • Taint findings include codeFlows in SARIF
  • Cross-file findings include relatedLocations
  • SARIF validates against SARIF 2.1.0 schema
  • GitHub Code Scanning displays flow steps
  • VS Code SARIF Viewer shows enhanced information

Metadata

Metadata

Assignees

No one assigned

    Labels

    developer-experienceIDE extensions, CI/CD, GitHub App, SDKplatformGuard0 platform, API, integrations, fleet management

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions