Epic: #75
Target: gitgalaxy/recorders/sarif_recorder.py & galaxyscope.py
Context & Strategic Value
To be adopted by enterprise engineering teams, GitGalaxy cannot force users to learn a new dashboard. We must bring our findings directly to the developer's pull request. By exporting our Structural Signatures and Risk Vectors into the OASIS-compliant SARIF format, GitHub Advanced Security (GHAS), GitLab, and Azure DevOps will automatically ingest our telemetry and annotate code in real-time.
Implementation Tasks
Validation
Run a local scan generating the .sarif file. Upload it to a test GitHub repository using the github/codeql-action/upload-sarif action. Verify that GitGalaxy risk findings appear natively under the "Security" tab and inline on PR diffs.
Epic: #75
Target:
gitgalaxy/recorders/sarif_recorder.py&galaxyscope.pyContext & Strategic Value
To be adopted by enterprise engineering teams, GitGalaxy cannot force users to learn a new dashboard. We must bring our findings directly to the developer's pull request. By exporting our Structural Signatures and Risk Vectors into the OASIS-compliant SARIF format, GitHub Advanced Security (GHAS), GitLab, and Azure DevOps will automatically ingest our telemetry and annotate code in real-time.
Implementation Tasks
gitgalaxy/recorders/sarif_recorder.py.version: "2.1.0"andrunsarray.tool.driver.rulesarray.high_risk_executionspike becomes a formalized rule object.hit_vectorcoordinates into SARIFphysicalLocationblocks.startLine/endLine).galaxyscope.pyto importSarifRecorder. Append it to the final export block alongside JSON and SQLite to generategitgalaxy_results.sarifby default.Validation
Run a local scan generating the
.sariffile. Upload it to a test GitHub repository using thegithub/codeql-action/upload-sarifaction. Verify that GitGalaxy risk findings appear natively under the "Security" tab and inline on PR diffs.