SARIF Issue Reporter
Analyze SARIF files and generate comprehensive security reports.
Target: $ARGUMENTS (path to SARIF file)
When to Use This Skill
- Reviewing static analysis results from security scanners
- Generating vulnerability reports with CVSS scoring
- Validating SAST findings (true vs false positives)
- Mapping vulnerabilities to compliance frameworks
- Creating remediation guidance with code examples
Core Capabilities
| Capability | Description |
|---|---|
| SARIF Parsing | Read SARIF 2.1.0 format from any scanner |
| Verification | Confirm findings, identify false positives |
| CVSS Scoring | Calculate scores with vector strings |
| Standards Mapping | OWASP, CWE, CAPEC, compliance frameworks |
| Remediation | Code examples and implementation steps |
Workflow
Phase 1: Parse SARIF
- Load SARIF file at $ARGUMENTS
- Extract tool metadata from
runs[].tool.driver - Get all results from
runs[].results[] - Categorize by severity level
Phase 2: Verify Each Issue
- Extract: Location, snippet, codeFlows, related locations
- Verify: Confirm issue exists, check for false positives, assess exploitability
- Enhance: Request additional code context if needed
Phase 3: Security Assessment
CVSS 3.1 Scoring - Calculate and justify each metric:
- Attack Vector (AV): N/A/L/P
- Attack Complexity (AC): L/H
- Privileges Required (PR): N/L/H
- User Interaction (UI): N/R
- Scope (S): U/C
- Impact (C/I/A): N/L/H each
Vector format: CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_
Impact Analysis: Technical impact, business impact, exploitability, affected assets.
Phase 4: Standards Mapping
Map each verified issue to:
| Standard | Action |
|---|---|
| OWASP Top 10 | Identify category (A01-A10) |
| CWE | Specific ID + parent/child |
| CAPEC | Attack patterns |
| Compliance | PCI-DSS, GDPR, SOC 2, HIPAA, ISO 27001, NIST |
Reference: OWASP Top 10 | CWE | CAPEC
Phase 5: Report Generation
For each verified issue, generate this report structure:
## [ISSUE-XXX] {Title}
**Severity**: {Critical|High|Medium|Low} | **CVSS**: {Score} ({Vector}) | **Status**: Verified
### Summary
{2-3 sentence overview}
### Code Evidence
**Location**: `{file}:{line}`
```{language}
{code snippet with context}
Exploitation
Attack Vector: {Description} PoC: {Example exploit code or request} Prerequisites: {What attacker needs}
Impact
- C/I/A: {Confidentiality/Integrity/Availability impacts}
- Business: {Consequences}
Standards Mapping
- OWASP: {Category}
- CWE: CWE-{ID}
- CAPEC: CAPEC-{ID}
- Compliance: {PCI-DSS/GDPR/SOC2 requirements}
Security Patterns Violated
- {Pattern}: Expected {X}, found {Y}
Remediation
Priority: {Level}
{Fix code}
Steps: {Implementation guidance}
Validation
{Test commands or verification steps}
## Implementation Steps
1. **Load SARIF** - Parse JSON at $ARGUMENTS path
2. **Extract Issues** - Get `runs[].results[]` array
3. **For Each Issue**:
- Get location from `physicalLocation`
- Read code context if snippet missing
- Verify finding exists in source
- Calculate CVSS with justification
- Map to standards (OWASP/CWE/CAPEC)
- Generate remediation code
4. **Output Report** - Markdown format (primary)
### Quality Checklist
Before finalizing each issue:
- [ ] CVSS score calculated with justification
- [ ] Code evidence with context
- [ ] Realistic exploitation scenario
- [ ] Security pattern identified
- [ ] OWASP/CWE/CAPEC mapped
- [ ] Working remediation code
**SARIF Reference**: [SARIF 2.1.0 Spec](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)
## Example Usage
User: Analyze results.sarif and report critical/high issues Claude:
- Parse SARIF → 2. Filter by severity → 3. Verify each finding
- Calculate CVSS → 5. Map to standards → 6. Generate report
## Best Practices
| Practice | Why |
|----------|-----|
| Always verify | SAST tools produce false positives |
| Realistic exploitation | Theoretical attacks aren't useful |
| Working remediation code | Not pseudo-code |
| Complete standards mapping | OWASP/CWE/CAPEC/Compliance |
| Sufficient code context | Understand the full picture |
## Executive Summary Template
```markdown
# Security Analysis Report
**Tool**: {name} | **Date**: {date} | **Scope**: {files scanned}
## Overview
| Metric | Count |
|--------|-------|
| Total Issues | {n} |
| Verified | {n} |
| False Positives | {n} |
## Severity Distribution
Critical (9.0-10.0): {n} | High (7.0-8.9): {n} | Medium (4.0-6.9): {n} | Low (0.1-3.9): {n}
## Top Risks
1. {Issue} - CVSS {score}
2. {Issue} - CVSS {score}
3. {Issue} - CVSS {score}
Anti-Patterns
- Reporting unverified issues
- Generic remediation advice
- Missing exploitation scenarios
- Incomplete CVSS justification
- Ignoring code context
Success Criteria
- All critical/high issues verified
- CVSS scores justified
- Working exploitation examples
- Production-ready remediation code
- Complete standards mapping
References
Helper script available: scripts/sarif_helper.py