Add support for SARIF file output

Signed-off-by: lelia <lelia@socket.dev>

Author: lelia

socketsecurity/config.py

@@ -40,6 +40,7 @@ class CliConfig:
     allow_unverified: bool = False
     enable_json: bool = False
     enable_sarif: bool = False
+    sarif_file: Optional[str] = None
     enable_gitlab_security: bool = False
     gitlab_security_file: Optional[str] = None
     disable_overview: bool = False
@@ -103,6 +104,10 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             args.api_token
         )
 
+        # --sarif-file implies --enable-sarif
+        if args.sarif_file:
+            args.enable_sarif = True
+
         # Strip quotes from commit message if present
         commit_message = args.commit_message
         if commit_message and commit_message.startswith('"') and commit_message.endswith('"'):
@@ -126,6 +131,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'allow_unverified': args.allow_unverified,
             'enable_json': args.enable_json,
             'enable_sarif': args.enable_sarif,
+            'sarif_file': args.sarif_file,
             'enable_gitlab_security': args.enable_gitlab_security,
             'gitlab_security_file': args.gitlab_security_file,
             'disable_overview': args.disable_overview,
@@ -471,6 +477,13 @@ def create_argument_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Enable SARIF output of results instead of table or JSON format"
     )
+    output_group.add_argument(
+        "--sarif-file",
+        dest="sarif_file",
+        metavar="<path>",
+        default=None,
+        help="Output file path for SARIF report (implies --enable-sarif)"
+    )
     output_group.add_argument(
         "--enable-gitlab-security",
         dest="enable_gitlab_security",

socketsecurity/output.py

@@ -139,6 +139,7 @@ def output_console_json(self, diff_report: Diff, sbom_file_name: Optional[str] =
     def output_console_sarif(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None:
         """
         Generate SARIF output from the diff report and print to console.
+        If --sarif-file is configured, also save to file.
         """
         if diff_report.id != "NO_DIFF_RAN":
             # Generate the SARIF structure using Messages
@@ -147,6 +148,14 @@ def output_console_sarif(self, diff_report: Diff, sbom_file_name: Optional[str]
             # Print the SARIF output to the console in JSON format
             print(json.dumps(console_security_comment, indent=2))
 
+            # Save to file if --sarif-file is specified
+            if self.config.sarif_file:
+                sarif_path = Path(self.config.sarif_file)
+                sarif_path.parent.mkdir(parents=True, exist_ok=True)
+                with open(sarif_path, "w") as f:
+                    json.dump(console_security_comment, f, indent=2)
+                self.logger.info(f"SARIF report saved to {self.config.sarif_file}")
+
     def report_pass(self, diff_report: Diff) -> bool:
         """Determines if the report passes security checks"""
         # Priority 1: --disable-blocking always passes