feat(sdk): enrich SARIF output with markdown help, descriptive rule names, and secret line numbers

- Use CheckTitle for rule.name instead of duplicating rule.id - Add help.markdown with severity table, remediation text, and link - Fix secret findings missing line numbers by reading top-level StartLine/EndLine from Trivy output
2026-04-14 16:50:04 +00:00 · 2026-04-10 08:38:07 +02:00
parent cc658fc958
commit b28d6a4fcc
2 changed files with 26 additions and 10 deletions
--- a/prowler/lib/check/models.py
+++ b/prowler/lib/check/models.py
@@ -1094,15 +1094,10 @@ class CheckReportIAC(Check_Report):

        self.resource = finding
        self.resource_name = file_path
-        self.resource_line_range = (
-            (
-                str(finding.get("CauseMetadata", {}).get("StartLine", ""))
-                + ":"
-                + str(finding.get("CauseMetadata", {}).get("EndLine", ""))
-            )
-            if finding.get("CauseMetadata", {}).get("StartLine", "")
-            else ""
-        )
+        cause = finding.get("CauseMetadata", {})
+        start = cause.get("StartLine") or finding.get("StartLine")
+        end = cause.get("EndLine") or finding.get("EndLine")
+        self.resource_line_range = f"{start}:{end}" if start else ""


@dataclass
--- a/prowler/lib/outputs/sarif/sarif.py
+++ b/prowler/lib/outputs/sarif/sarif.py
@@ -54,7 +54,7 @@ class SARIF(Output):
                rule_indices[check_id] = len(rules)
                rule = {
                    "id": check_id,
-                    "name": check_id,
+                    "name": finding.metadata.CheckTitle,
                    "shortDescription": {"text": finding.metadata.CheckTitle},
                    "fullDescription": {
                        "text": finding.metadata.Description or check_id
@@ -63,6 +63,7 @@ class SARIF(Output):
                        "text": finding.metadata.Remediation.Recommendation.Text
                        or finding.metadata.Description
                        or check_id,
+                        "markdown": self._build_help_markdown(finding, severity),
                    },
                    "defaultConfiguration": {
                        "level": SEVERITY_TO_SARIF_LEVEL.get(severity, "note"),
@@ -134,6 +135,26 @@ class SARIF(Output):
                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )

+    @staticmethod
+    def _build_help_markdown(finding: Finding, severity: str) -> str:
+        """Build a markdown help string for a SARIF rule."""
+        remediation = (
+            finding.metadata.Remediation.Recommendation.Text
+            or finding.metadata.Description
+            or finding.metadata.CheckID
+        )
+        lines = [
+            f"**{finding.metadata.CheckTitle}**\n",
+            f"| Severity | Remediation |",
+            f"| --- | --- |",
+            f"| {severity.upper()} | {remediation} |",
+        ]
+        if finding.metadata.RelatedUrl:
+            lines.append(
+                f"\n[More info]({finding.metadata.RelatedUrl})"
+            )
+        return "\n".join(lines)
+
    @staticmethod
    def _build_location(finding: Finding) -> Optional[dict]:
        """Build a SARIF physicalLocation from a Finding.