Supporting SARIF output

[NickLiffen]

Hello 👋

My name is Nick, I am one of the architects here at GitHub 👋 lovely to meet you all 👋

Firstly, love what you are doing here 💯

I am working on advanced security and one thing that we are starting to see is people want to integrate stan with Code Scanning.

tl;dr code scanning is a service that allows customers to integrate the output of security tools (and quality tools) into GitHub so they don't need to go between multiple tools, and it's all represented in the same way.

The one requirement is data is outputted from the tool within SARIF . Think of SARIF as a structured JSON object that tells us what the vulnerabilities are, and where they are found.

I see this tool supports: [--json-output], it would be great if it supported [--sarif-output] and we could then pass this SARIF either to the upload SARIF action, or the upload SARIF API.

The SARIF support docs are here for GitHub, and tells you what is needed :)

Taking a quick look through the code, we can see you have a lot of the data needed for the output, you would just need to structure it in the right way to be SARIF compliant. I would love to contribute but my Haskell knowledge is not up to par here 😢

I wondered if this is something you would be willing to add as a feature request? ❤️

Here is an example PR that adds SARIF for another tool, you can see other tools that support SARIF here: [Security Workflows(https://github.com/kowainik/stan/actions/new?category=security), if you would like to see how other tools do it 👍 (would also love to add you to this list if you did end up supporting SARIF ❤️

Anyways, thanks for hearing me out :)