feat: implement JSON and SARIF structured output modes

[PrasanthYT]

Overview

This PR introduces structured output capabilities to Scanr, enabling automation-ready JSON output and SARIF security reporting compatible with GitHub Code Scanning.

This milestone transitions Scanr from a developer CLI into a DevSecOps-compatible security tool.

---

JSON Output Mode (--json)

CLI Usage

scanr scan . --json

Behavior

• Suppresses formatted CLI output

• Outputs canonical ScanResult JSON

• No color formatting

• No debug logs

• Deterministic ordering

Core Model

struct ScanResult {
    total_dependencies: u32,
    vulnerabilities: Vec<Vulnerability>,
    risk_score: u32,
    severity_summary: SeveritySummary,
}

All core models derive Serialize.

Output can be piped:

scanr scan . --json > report.json

---

SARIF Output (--sarif)

CLI Usage

scanr scan . --sarif

Behavior

• Converts vulnerabilities into SARIF v2.1.0 format

• Outputs valid SARIF JSON

• Compatible with GitHub Security tab

Severity Mapping

Scanr Severity | SARIF Level -- | -- Critical | error High | error Medium | warning Low | note

Each result includes:

• Rule ID (CVE ID)

• Message

• Logical location (dependency file path)

• Tool metadata:

  • Name: Scanr

  • Version

  • Information URI

---

Validation

• scanr scan . --json returns valid JSON

• Output deterministic and machine-readable

• SARIF validated against schema

• SARIF successfully imports into GitHub Security tab

• cargo build --workspace --release passes

---

Impact

• Enables CI/CD automation

• Supports pipeline integration

• Compatible with GitHub Code Scanning

• Production-grade structured reporting

• Increases enterprise adoption readiness

No breaking changes.

---

🎯 Why This Milestone Matters

This milestone makes Scanr:

• Automation-ready

• DevSecOps-compatible

• CI-native

• Enterprise-integrable

It transforms Scanr from a CLI scanner into a security pipeline component.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.