Skip to content

feat: mcpm audit --sarif — SARIF 2.1.0 for GitHub code-scanning (D3)#123

Merged
m1ngshum merged 1 commit into
mainfrom
feat/audit-sarif-d3
Jul 3, 2026
Merged

feat: mcpm audit --sarif — SARIF 2.1.0 for GitHub code-scanning (D3)#123
m1ngshum merged 1 commit into
mainfrom
feat/audit-sarif-d3

Conversation

@m1ngshum

@m1ngshum m1ngshum commented Jul 3, 2026

Copy link
Copy Markdown
Member

What

Wave-1 item D3: mcpm audit --sarif emits a SARIF 2.1.0 report that GitHub code-scanning ingests (github/codeql-action/upload-sarif).

Changes

  • src/output/sarif.ts (new, pure)buildSarif(servers, version):
    • one rule per real Finding.type — a TS-exhaustive Record<Finding["type"], …>, so adding a finding type without a rule fails the build (there are 8 types now, not the roadmap's "7" — the union grew)
    • one result per finding, anchored file-level to mcpm.yaml with no region/line (audit scans installed servers — there's no source line, and a fabricated one would be a lie), plus a logicalLocation naming the server
    • severity → SARIF level (critical/higherror, mediumwarning, lownote)
    • stable partialFingerprints (server:type:sha256(message)[:12]) so GitHub tracks the same alert across runs
  • audit --sarif — a report-only branch beside --json. Never fixes (even with --fix); exit code matches audit's contract (1 when risky). __PKG_VERSION__ (tsup define) is typeof-guarded for non-bundled test runs.
  • README — documents the upload-sarif + if: always() workflow.

Scope

Per the roadmap, cut guard-events SARIF (no repo artifact to anchor; that export story is E2).

Tests & verification

  • sarif.test.ts (6): envelope, rule-per-type catalog, finding→result mapping, severity→level, file-level anchor (asserts no region), stable/distinct fingerprints, multi-server flatten.
  • audit.test.ts (+2): --sarif emits SARIF + exit 1 when risky (and never touches the store), and a clean scan → 0 results + exit 0 with the full rule catalog.
  • Full suite 1949/1949; typecheck + lint clean.
  • End-to-end on the built CLI: real driver version, 8 rules, results present.

Docs

CHANGELOG [Unreleased], ROADMAP-ADOPTION (D3 → ✅ SHIPPED), README (audit row + code-scanning snippet), CLAUDE.md decisions log.

Pure src/output/sarif.ts mapper beside the existing --json branch. One SARIF
rule per real Finding.type (TS-exhaustive Record — a new type fails the build).
Each finding becomes a result anchored file-level to mcpm.yaml (audit scans
installed servers, which have no source line — a fabricated line would be a
lie), with a logicalLocation naming the server, severity mapped to SARIF
error/warning/note, and a stable partialFingerprints so GitHub tracks the same
alert across runs. Report-only (never fixes); exit code matches audit (risky→1).

README documents the upload-sarif + if: always() code-scanning workflow.
__PKG_VERSION__ (tsup define) is typeof-guarded for non-bundled test runs.

Verified e2e on the built CLI (real version, 8 rules); 1949 tests green.
@m1ngshum m1ngshum merged commit 0e56ec8 into main Jul 3, 2026
8 checks passed
@m1ngshum m1ngshum deleted the feat/audit-sarif-d3 branch July 3, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant