From 1c4bb6a7282eca6d694df815f3fc05b9dabe9e9a Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Mon, 27 Oct 2025 15:28:33 -0400
Subject: [PATCH] only add provenance if git url is good

---
 formatters/sarif/sarif.go | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/formatters/sarif/sarif.go b/formatters/sarif/sarif.go
index 28a862c..d54dfef 100644
--- a/formatters/sarif/sarif.go
+++ b/formatters/sarif/sarif.go
@@ -50,17 +50,15 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 
 		sourceGitRepoURI := pkg.GetSourceGitRepoURI()
 
-		versionControlProvenance := sarif.NewVersionControlDetails().
-			WithRevisionID(pkg.SourceGitCommitSha).
-			WithBranch(pkg.SourceGitRef)
-
 		if IsValidGitURL(sourceGitRepoURI) {
-			versionControlProvenance = versionControlProvenance.
+			versionControlProvenance := sarif.NewVersionControlDetails().
+				WithRevisionID(pkg.SourceGitCommitSha).
+				WithBranch(pkg.SourceGitRef).
 				WithRepositoryURI(sourceGitRepoURI)
+			run.AddVersionControlProvenance(
+				versionControlProvenance,
+			)
 		}
-		run.AddVersionControlProvenance(
-			versionControlProvenance,
-		)
 
 		findingsByPurl := make(map[string][]results.Finding)
 		for _, finding := range pkg.FindingsResults.Findings {