adds sarif support

Author: RubenHalman

.github/workflows/deploy-BETA.yml

@@ -0,0 +1,26 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - "v*" # Trigger on version tags like v6.0.0
+
+permissions:
+  contents: read
+  id-token: write # Required for OIDC (Trusted Publishing)
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    # environment: production  # Uncomment for approval gates
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+      - name: Update npm
+        run: npm install -g npm@latest
+      - run: npm ci
+      - run: npm run build
+      - run: npm publish --access public

.github/workflows/deploy-RELEASE.yml

@@ -33,17 +33,19 @@ sf flow:scan [options]
 Customize the scan behavior using the following options:
 
 ```sh-session
-  -c, --config <path>                                               provide a path to the configuration file.
+  -c, --config <path>                                               set a path to the configuration file.
 
-  -f, --failon                                                      provide a threshold level for returning status 1
+  -d, --directory <C:\..\force-app\main\default\flows>              set a directory to scan.
 
-  -p, --files <C:\..\flow1.flow, C:\..\flow2.flow>                  provide a space-separated list of flow paths to scan.
+  -f, --failon                                                      set a threshold level for failure by error
 
-  -d, --directory <C:\..\force-app\main\default\flows>              provide a directory to scan.
+  -p, --files <C:\..\flow1.flow, C:\..\flow2.flow>                  set a space-separated list of flow paths to scan.
 
-  --json                                                            set output format as json.
+  -s, --sarif                                                       get SARIF output to the stdout directly
+
+  -z, --betamode                                                    a runtime toggle to enable beta rules(experimental)
 
-  -z, --betamode                                                     a runtime toggle to enable beta rules(experimental)
+  --json                                                            set output format as json.
 
   --loglevel=(trace|debug|info|warn|error|fatal)                    [default: warn] logging level.
 ```
@@ -139,12 +141,12 @@ Note: if you prefer JSON format, you can create a `.flow-scanner.json` file usin
 ```
 
 5. **Linking SF CLI Plugin**
-to test changes in your local CLI run:
+   to test changes in your local CLI run:
 
 ```bash
   sf plugins link .
 ```
-   
+
 6. **Linking** **Core Module (Optional)**
 
 If you’re developing or testing updates to the core module, you can link it locally:

.github/workflows/generate-RELEASE.yml

@@ -4,7 +4,7 @@
   "bugs": "https://github.com/Flow-Scanner/lightning-flow-scanner-cli/issues",
   "description": "A Salesforce CLI plugin for static analysis and optimization of Flows. Scans metadata for 20+ issues such as hardcoded IDs, unsafe contexts, inefficient SOQL/DML operations, recursion risks, and missing fault handling. Supports auto-fixes, rule configurations, and CI/CD integration to help users maintain secure and reliable Flow automations.",
   "dependencies": {
-    "@flow-scanner/lightning-flow-scanner-core": "^6.0.4",
+    "@flow-scanner/lightning-flow-scanner-core": "^6.1.2",
     "@oclif/core": "^4.5.4",
     "@salesforce/core": "^8.18.7",
     "@salesforce/sf-plugins-core": "^12.2.3",

.github/workflows/publish.yml

@@ -15,6 +15,7 @@ import { inspect } from "util";
 const {
   parse: parseFlows,
   scan: scanFlows,
+  exportSarif: exportSarif,
 } = pkg;
 
 Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
@@ -42,18 +43,18 @@ export default class Scan extends SfCommand<Output> {
   protected errorCounters: Map<string, number> = new Map<string, number>();
 
   public static readonly flags = {
+    config: Flags.file({
+      char: "c",
+      description: "Path to configuration file",
+      required: false,
+    }),
     directory: Flags.directory({
       char: "d",
       description: messages.getMessage("directoryToScan"),
       required: false,
       exists: true,
       exclusive: ["files"],
     }),
-    config: Flags.file({
-      char: "c",
-      description: "Path to configuration file",
-      required: false,
-    }),
     failon: Flags.option({
       char: "f",
       description:
@@ -68,6 +69,11 @@ export default class Scan extends SfCommand<Output> {
       charAliases: ["p"],
       exclusive: ["directory"],
     }),
+    sarif: Flags.boolean({
+      char: "s",
+      description: "Get SARIF output in the stdout directly",
+      default: false,
+    }),
     betamode: Flags.boolean({
       char: "z",
       description: "Enable beta rules at run-time (experimental)",
@@ -99,20 +105,23 @@ export default class Scan extends SfCommand<Output> {
     this.debug(`parsed flows ${parsedFlows.length}`, ...parsedFlows);
 
     // ---- 5. Run the scan ----------------------------------------------------
-    const tryScan = (): [ScanResult[], Error | null] => {
-      try {
-        const scanConfig: any = {
-          rules: mergedConfig.rules ?? {},
-          betamode: !!mergedConfig.betamode,
-        };
-        return [scanFlows(parsedFlows, scanConfig), null];
-      } catch (err) {
-        return [null, err as Error];
-      }
-    };
-    const [scanResults, scanError] = tryScan();
+    let scanResults: ScanResult[];
+    try {
+      const scanConfig = {
+        rules: mergedConfig.rules ?? {},
+        betamode: !!mergedConfig.betamode,
+      };
+      scanResults = scanFlows(parsedFlows, scanConfig);
+    } catch (err) {
+      this.error(`Scan failed: ${(err as Error).message}`);
+    }
+
+    if (flags.sarif) {
+      const sarif = await exportSarif(scanResults);
+      process.stdout.write(sarif + '\n');
+      process.exit(this.getStatus());
+    }
 
-    this.debug(`error:`, inspect(scanError));
     this.debug(`scan results: ${scanResults.length}`, ...scanResults);
     this.spinner.stop(`Scan complete`);