zizmorcore
diff --git a/‎Cargo.lock
Lines changed: 168 additions & 8 deletions b/‎Cargo.lock
Lines changed: 168 additions & 8 deletions
diff --git a/‎Cargo.toml
Lines changed: 3 additions & 0 deletions b/‎Cargo.toml
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/main.rs
Lines changed: 10 additions & 4 deletions b/‎src/main.rs
Lines changed: 10 additions & 4 deletions
@@ -2,6 +2,8 @@
 name = "zizmor"
 version = "0.1.0"
 edition = "2021"
+repository = "https://github.com/woodruffw/zizmor"
+homepage = "https://github.com/woodruffw/zizmor"
 
 [dependencies]
 anyhow = "1.0.86"
@@ -13,6 +15,7 @@ log = "0.4.22"
 regex = "1.10.6"
 reqwest = { version = "0.12.7", features = ["blocking", "json"] }
 serde = { version = "1.0.208", features = ["derive"] }
+serde-sarif = "0.6.5"
 serde_json = "1.0.125"
 serde_yaml = "0.9.34"
 tree-sitter = "0.22.6"
 
@@ -9,6 +9,7 @@ mod audit;
 mod finding;
 mod github_api;
 mod models;
+mod sarif;
 mod utils;
 
 /// A tool to detect "ArtiPACKED"-type credential disclosures in GitHub Actions.
@@ -103,13 +104,18 @@ fn main() -> Result<()> {
     for workflow in workflows.iter() {
         // TODO: Proper abstraction for multiple audits here.
         for audit in audits.iter_mut() {
-            for finding in audit.audit(workflow)? {
-                results.push(finding);
-            }
+            results.extend(audit.audit(workflow)?);
         }
     }
 
-    serde_json::to_writer_pretty(stdout(), &results)?;
+    match args.format {
+        None | Some(OutputFormat::Json) | Some(OutputFormat::Plain) => {
+            serde_json::to_writer_pretty(stdout(), &results)?;
+        }
+        Some(OutputFormat::Sarif) => {
+            serde_json::to_writer_pretty(stdout(), &sarif::build(results))?;
+        }
+    }
 
     Ok(())
 }