feat: add SARIF and multi-format report generation #7
Description
Description
Implement a report generation system that outputs scan results in multiple formats suitable for CI/CD integration, compliance tracking, and human review. SARIF output enables direct integration with GitHub Code Scanning and other security tooling.
Tasks
- Implement SARIF 2.1.0 output:
- Conform to the SARIF specification for static analysis results
- Include tool information, rules, and results
- Map severity levels to SARIF levels (error, warning, note)
- Include code flow and location information
- Validate output against SARIF schema
- Implement JSON output:
- Structured findings with full metadata
- Summary statistics (total, by severity, by scanner type)
- Machine-readable format for programmatic consumption
- Implement HTML report:
- Executive summary with severity breakdown
- Charts: pie chart by severity, bar chart by scanner type
- Detailed findings table with filtering/sorting
- Remediation suggestions inline
- Self-contained single-file HTML (embedded CSS/JS)
- Implement Markdown summary:
- Suitable for PR comments and issue descriptions
- Severity badges and summary table
- Top findings with links to remediation
- Implement CSV export:
- Flat format for spreadsheet analysis and compliance tracking
- All finding fields as columns
- Include NIST compliance mapping in all formats:
- SP 800-131A Rev. 2 compliance status
- CNSA 2.0 timeline alignment
- Quantum readiness score (0-100)
- Write tests validating each output format