still_active 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7aee27885f6f98048897a021e6fca1f60f991a6c7812d125c5ed61fa497a691
-  data.tar.gz: 75c494745c87bb74f9e5c770cb374d98746727c103eb7393b1e838c9495daefe
+  metadata.gz: be6f4e86c6afb3564385acfaf5733cecc38845c300a8a2ef624d0b267cc93a94
+  data.tar.gz: ec381b31257189f8f171bb5bdc4f318dfd0edd03cba957dd58b3400935ab5898
 SHA512:
-  metadata.gz: 6864d20e743742e1da0a8f5dc8353444ece8593fa541733414404297b06c370e6ef620528d0303b01348548d15a5f619f1d98a8d48dd0405200823a97c46665d
-  data.tar.gz: 9bf1c0e5c85375bf23ad38704b4c45166793a261967749e6b434b07be4984b157ad5da166cfc8670618aacae08ebdc152f9e2a020985907d240abe789b5d45d9
+  metadata.gz: dcb580e83cedb482f05fe6a2cfebc91190050339dfb4a0986075d4cc28c6f9788d96efa86a66a7a28c22d248e6b15305d78f2e7f7bcd09c82ad0e9fbbed5fd0f
+  data.tar.gz: df4d1a5980ddb05e8cdb5c781ee72941ba4477fa71c101db6b03e089d0ffd2c8571803590467d8796841214d2fda6f9c40865ea7c16c58fcb89d632efd825cdc

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [1.4.0] - 2026-05-22
+
+### Added
+
+- `--sarif[=PATH]` emits SARIF 2.1.0 for GitHub Code Scanning. Findings appear in the Security tab and as inline annotations on `Gemfile.lock` in pull requests. Default path: `still_active.sarif.json` (pair with `github/codeql-action/upload-sarif@v3`). `--sarif=-` writes to stdout. Rule reference (SA001–SA007) in `docs/rules.md`. Stable `partialFingerprints` (rule + gem + advisory) keep alert IDs constant across `bundle update`s.
+- `--baseline=FILE` compares the current run against a baseline still_active JSON snapshot and emits a markdown delta report. Designed for PR review: surfaces regressions (new vulns, newly-archived deps, scorecard drops crossing OSSF's 7.0 threshold, libyear growth on unchanged versions, Ruby newly EOL). Exits 1 if any regression is detected, 2 on a malformed or unsupported baseline.
+- GitHub token cascade: discovers token from `--github-oauth-token`, `GITHUB_TOKEN`, `GH_TOKEN`, or `gh auth token` in that order. GitLab cascade mirrors it (`--gitlab-token`, `GITLAB_TOKEN`, `glab auth status --hostname=gitlab.com --show-token`). Eliminates the "why am I rate limited?" friction on local runs when `gh`/`glab` are already authed.
+- JSON output gains `schema_version`, `tool`, and `generated_at` keys on top of the existing `{gems, ruby}` envelope (shipped since 1.1). Purely additive — existing consumers reading `payload["gems"][name]` continue to work. See `docs/schema.md`.
+
 ## [1.3.0] - 2026-04-08
 
 ### Changed

data/README.md

@@ -26,25 +26,23 @@ Ruby 4.0.1 (latest)
 
 ## Why `still_active`?
 
-Most dependency tools answer one question. `still_active` answers all of them at once:
-
-|                              | `bundle outdated` | `bundler-audit` | `libyear-bundler` | **`still_active`**           |
-| ---------------------------- | ----------------- | --------------- | ----------------- | ---------------------------- |
-| Outdated versions            | Yes               | -               | Yes               | **Yes**                      |
-| Known vulnerabilities (CVEs) | -                 | Yes             | -                 | **Yes** (with severity)      |
-| OpenSSF Scorecard            | -                 | -               | -                 | **Yes**                      |
-| Last commit activity         | -                 | -               | -                 | **Yes**                      |
-| Libyear drift                | -                 | -               | Yes               | **Yes**                      |
-| Archived repo detection      | -                 | -               | -                 | **Yes**                      |
-| Yanked version detection     | -                 | -               | -                 | **Yes**                      |
-| Ruby version freshness       | -                 | -               | -                 | **Yes** (EOL + libyear)      |
-| Git/path/GH Packages sources | -                 | -               | -                 | **Yes**                      |
-| GitLab support               | -                 | -               | -                 | **Yes**                      |
-| CI quality gates             | -                 | Exit code       | -                 | **Yes** (5 modes)            |
-| Multiple output formats      | -                 | -               | -                 | **Terminal, JSON, Markdown** |
-| Single command               | Yes               | Yes             | Yes               | **Yes**                      |
-
-`still_active` tells you whether a dependency is outdated, insecure, _and_ abandoned -- not just one of the three.
+`still_active` is **complementary to** -- not a replacement for -- the established Ruby tooling. `bundle outdated`, `bundler-audit`, and `libyear-bundler` are purpose-built and battle-tested at what they do. `still_active` answers a different question: **is anyone still maintaining this gem?** -- and folds in the version/CVE/libyear signals so you get one report instead of three.
+
+|                              | `bundle outdated` | `bundler-audit`        | `libyear-bundler` | **`still_active`**       |
+| ---------------------------- | ----------------- | ---------------------- | ----------------- | ------------------------ |
+| Outdated versions            | Yes               | -                      | Yes               | Yes                      |
+| Known vulnerabilities (CVEs) | -                 | Yes (ruby-advisory-db) | -                 | Yes (deps.dev)           |
+| Libyear drift                | -                 | -                      | Yes               | Yes                      |
+| **Last commit activity**     | -                 | -                      | -                 | **Yes**                  |
+| **Archived repo detection**  | -                 | -                      | -                 | **Yes**                  |
+| **OpenSSF Scorecard**        | -                 | -                      | -                 | **Yes**                  |
+| **Yanked version detection** | -                 | -                      | -                 | **Yes**                  |
+| **Ruby version freshness**   | -                 | -                      | -                 | **Yes** (EOL + libyear)  |
+| GitLab support               | -                 | -                      | -                 | Yes                      |
+| CI quality gates             | -                 | Exit code              | -                 | Yes (4 flags)            |
+| Output formats               | Text              | Text                   | Text              | Terminal, JSON, Markdown |
+
+The bolded rows are the gap `still_active` fills: nobody else answers "is the maintainer still around?" The CVE column is worth a closer look: `bundler-audit` and `still_active` use **different data sources** (`ruby-advisory-db` vs `deps.dev`), so coverage isn't identical. If you care about CVEs in CI, keep running `bundler-audit` alongside `still_active`.
 
 ## Installation
 
@@ -75,7 +73,16 @@ still_active --markdown
 
 ### Authentication
 
-Tokens are read from `GITHUB_TOKEN` and `GITLAB_TOKEN` environment variables by default. Without a GitHub token you will most certainly get rate limited. The GitLab token is optional for public repos but required for private ones. CLI flags override the env vars.
+`still_active` discovers a GitHub token in this order:
+
+1. `--github-oauth-token=TOKEN` CLI flag
+2. `GITHUB_TOKEN` environment variable (CI convention)
+3. `GH_TOKEN` environment variable (`gh` CLI convention)
+4. `gh auth token` (if `gh` is installed and authenticated)
+
+Without a token, GitHub API calls are unauthenticated and rate-limited to 60 requests/hour — you will hit the limit on anything beyond a handful of gems. With a token the limit is 5000 requests/hour.
+
+GitLab cascade mirrors GitHub: `--gitlab-token` → `GITLAB_TOKEN` → `glab auth status --show-token`. Optional for public repos, required for private ones.
 
 ### CLI options
 
@@ -89,6 +96,8 @@ Usage: still_active [options]
         --terminal                   Coloured terminal output (default in TTY)
         --markdown                   Markdown table output
         --json                       JSON output (default when piped)
+        --sarif[=PATH]               SARIF 2.1.0 output for GitHub Code Scanning
+        --baseline=PATH              Compare current state to baseline JSON; emit markdown deltas
         --github-oauth-token=TOKEN   GitHub OAuth token to make API calls
         --gitlab-token=TOKEN         GitLab personal access token for API calls
         --simultaneous-requests=QTY  Number of simultaneous requests made
@@ -173,6 +182,55 @@ still_active --markdown
 
 **Ruby 4.0.1** (latest) ✅
 
+### SARIF output (GitHub Code Scanning)
+
+Emit findings as SARIF 2.1.0 — they show up in the GitHub Security tab and as inline annotations on `Gemfile.lock` in pull requests.
+
+```bash
+still_active --sarif                       # writes still_active.sarif.json
+still_active --sarif=path/to/out.sarif.json
+still_active --sarif=-                     # stdout
+```
+
+Wire it up in a workflow with `github/codeql-action/upload-sarif`:
+
+```yaml
+permissions:
+  contents: read
+  security-events: write   # required for SARIF upload
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+      - run: bundle exec still_active --sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: still_active.sarif.json
+```
+
+Rule reference (SA001–SA007) and how to suppress: see [`docs/rules.md`](docs/rules.md).
+
+### Baseline diff (PR review)
+
+`--baseline=FILE` compares the current run against a previously captured JSON snapshot and emits a markdown delta report. Designed for the PR question reviewers actually ask: **what got worse?**
+
+```bash
+# Locally — capture from main, compare to your branch
+git checkout main && still_active --json > /tmp/main.json
+git checkout my-branch && still_active --baseline=/tmp/main.json
+```
+
+In CI, capture a baseline on main and compare on PR branches. Exits 1 if any regression is detected (new vulns, newly-archived deps, scorecard drops crossing 7.0, libyear growth on unchanged versions, Ruby newly EOL, etc.).
+
+The diff supersedes `--sarif`, `--terminal`, `--markdown`, and `--json` when set.
+
 ### CI quality gating
 
 Use exit-code flags to fail CI pipelines based on dependency status:
@@ -223,7 +281,9 @@ Activity is determined by the most recent signal across last commit date, latest
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies and wire git hooks. Then run `rake` to run the full lint + test suite (`rake spec` for just tests, `rake rubocop` for just lint). You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+A pre-push hook runs `rake` automatically before each `git push`, so cross-file rubocop rules don't escape to CI. Skip with `git push --no-verify` if you really need to.
 
 To install this gem onto your local machine, run `bundle exec rake install`. New versions are published automatically to [rubygems.org](https://rubygems.org) when a GitHub Release is created (via trusted publishing).
 

data/lib/helpers/diff_markdown_helper.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+module StillActive
+  # Renders a StillActive::Diff::Result as PR-comment-friendly markdown.
+  # Section taxonomy mirrors GitHub's dependency-review-action so reviewers
+  # already know where to look: Regressions / Added / Removed / Bumps /
+  # Signal changes / Ruby. Empty sections are skipped.
+  module DiffMarkdownHelper
+    extend self
+
+    BUMP_KIND_LABELS = {
+      closed_vulns: "closed vulns",
+      introduced_vulns: "INTRODUCED vulns",
+      fresher: "fresher",
+      older_relative: "older relative to latest",
+      neutral: nil,
+      unknown: nil,
+    }.freeze
+
+    def render(diff)
+      sections = [
+        "## still_active diff",
+        "",
+        summary_line(diff),
+        "",
+        regressions_section(diff.regressions),
+        added_section(diff.added),
+        removed_section(diff.removed),
+        bumps_section(diff.bumped),
+        signal_changes_section(diff.signal_changes),
+        ruby_section(diff.ruby),
+      ].reject(&:empty?)
+
+      "#{sections.join("\n")}\n"
+    end
+
+    private
+
+    def summary_line(diff)
+      [
+        ["regressions", diff.regressions.size],
+        ["added", diff.added.size],
+        ["removed", diff.removed.size],
+        ["bumped", diff.bumped.size],
+        ["signal-changes", diff.signal_changes.size],
+      ].map { |label, n| "#{n} #{label}" }.join(" · ")
+    end
+
+    def regressions_section(regressions)
+      return "" if regressions.empty?
+
+      lines = regressions.map { |r| "- **#{r.kind}** `#{r.gem}` — #{r.detail}" }
+      section("Regressions (CI-failable)", lines)
+    end
+
+    def added_section(added)
+      return "" if added.empty?
+
+      lines = added.map { |a| "- #{format_added(a)}" }
+      section("Added", lines)
+    end
+
+    def removed_section(removed)
+      return "" if removed.empty?
+
+      lines = removed.map { |r| "- `#{r.name}` (was #{(r.data || {})["version_used"] || "?"})" }
+      section("Removed", lines)
+    end
+
+    def bumps_section(bumped)
+      return "" if bumped.empty?
+
+      lines = bumped.map { |b| format_bump(b) }
+      section("Version bumps", lines)
+    end
+
+    def signal_changes_section(signal_changes)
+      return "" if signal_changes.empty?
+
+      lines = signal_changes.flat_map { |sc| format_signal_change_lines(sc) }
+      section("Signal changes (same version)", lines)
+    end
+
+    def ruby_section(ruby)
+      return "" if ruby.nil?
+      return "" unless ruby[:version_changed] || ruby[:newly_eol]
+
+      lines = []
+      if ruby[:version_changed]
+        eol_suffix = ruby[:newly_eol] ? " (now EOL)" : ""
+        lines << "- Ruby `#{ruby[:from]}` → `#{ruby[:to]}`#{eol_suffix}"
+      elsif ruby[:newly_eol]
+        lines << "- Ruby `#{ruby[:to]}` is now EOL"
+      end
+      section("Ruby", lines)
+    end
+
+    def section(title, lines)
+      "### #{title}\n\n#{lines.join("\n")}\n"
+    end
+
+    def format_added(added)
+      data = added.data || {}
+      bits = [
+        data["version_used"] && "v#{data["version_used"]}",
+        data["scorecard_score"] && "OpenSSF #{data["scorecard_score"]}",
+        (data["vulnerability_count"].to_i.positive? ? "#{data["vulnerability_count"]} vulns" : nil),
+        (data["archived"] ? "archived" : nil),
+        data["libyear"] && "#{data["libyear"]}y behind",
+      ].compact
+      "`#{added.name}` (#{bits.join(", ")})"
+    end
+
+    def format_bump(bump)
+      label = BUMP_KIND_LABELS[bump.kind]
+      suffix = label ? " (#{label})" : ""
+      "- `#{bump.name}` #{bump.before_version} → #{bump.after_version}#{suffix}"
+    end
+
+    def format_signal_change_lines(sc)
+      sc.changes.filter_map do |ch|
+        case ch[:kind]
+        when :archived
+          "- `#{sc.name}` — archived (false → true)"
+        when :new_vulnerability
+          ids = Array(ch[:ids]).join(", ")
+          "- `#{sc.name}` — new vulnerability (#{ch[:from]} → #{ch[:to]}#{" — #{ids}" unless ids.empty?})"
+        when :scorecard_dropped
+          note = ch[:crossed_good] ? " (crossed 7.0)" : ""
+          "- `#{sc.name}` — scorecard #{ch[:from]} → #{ch[:to]}#{note}"
+        when :version_yanked
+          "- `#{sc.name}` — version yanked from rubygems"
+        when :libyear_worsened
+          "- `#{sc.name}` — libyear #{ch[:from]} → #{ch[:to]} (+#{ch[:delta]}y; same pinned version)"
+        end
+      end
+    end
+  end
+end

data/lib/helpers/lockfile_indexer.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module StillActive
+  # Maps gem names to line numbers in a Bundler-generated Gemfile.lock.
+  # Used by SARIF output so findings annotate the correct lockfile line.
+  #
+  # We hand-roll the parsing rather than delegating to
+  # Bundler::LockfileParser because the latter is not side-effect-free —
+  # it tries to resolve PLUGIN SOURCE blocks against the installed plugin
+  # registry and raises Bundler::Plugin::UnknownSourceError if a plugin
+  # isn't present in the consuming environment. We just want names + lines.
+  module LockfileIndexer
+    extend self
+
+    # Bundler indents top-level specs with exactly 4 spaces; nested deps get
+    # 6+. \S+ matches what Bundler's own parser accepts (any non-space).
+    TOP_LEVEL_SPEC = /\A    (\S+) \(/
+    # Source blocks Bundler emits — see bundler/lockfile_parser.rb SOURCE constant.
+    BLOCK_HEADER = /\A(GEM|GIT|PATH|PLUGIN SOURCE)\b/
+    SECTION_BREAK = /\A[A-Z]/
+
+    # Returns a Hash mapping gem name -> 1-based line number in `content`.
+    # When a gem appears as both a top-level spec and a nested dep, the
+    # top-level entry wins. Lines outside GEM/GIT/PATH/PLUGIN SOURCE blocks
+    # are ignored.
+    def gem_line_index(content)
+      index = {}
+      in_block = false
+      content.each_line.with_index(1) do |line, lineno|
+        if line.match?(BLOCK_HEADER)
+          in_block = true
+          next
+        end
+        if line.match?(SECTION_BREAK)
+          in_block = false
+          next
+        end
+        next unless in_block
+
+        match = line.match(TOP_LEVEL_SPEC)
+        index[match[1]] = lineno if match
+      end
+      index
+    end
+
+    # Returns the 1-based line number of the Ruby version inside the
+    # RUBY VERSION block (the line *after* the header). Falls back to 1.
+    def ruby_version_line(content)
+      content.each_line.with_index(1) do |line, lineno|
+        return lineno + 1 if line.start_with?("RUBY VERSION")
+      end
+      1
+    end
+  end
+end

data/lib/helpers/sarif_helper.rb

@@ -0,0 +1,232 @@
+# frozen_string_literal: true
+
+require "json"
+require "digest"
+require "time"
+require_relative "../still_active/sarif/rules"
+require_relative "lockfile_indexer"
+
+module StillActive
+  # Renders a still_active workflow result as a SARIF 2.1.0 document.
+  # The output is suitable for upload to GitHub Code Scanning via
+  # github/codeql-action/upload-sarif.
+  module SarifHelper
+    extend self
+
+    SARIF_SCHEMA = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json"
+    TOOL_NAME = "still_active"
+    TOOL_URI = "https://github.com/SeanLF/still_active"
+
+    LIBYEAR_THRESHOLD = 1.0
+    SCORECARD_LOW_THRESHOLD = 4.0
+    ABANDONED_SECONDS = 2 * 365 * 24 * 60 * 60 # 2 years
+
+    # result: same hash StillActive::Workflow.call returns (gem_name => gem_data)
+    # ruby_info: optional Ruby freshness hash (or nil)
+    # lockfile_path: path to Gemfile.lock for line annotations
+    # tool_version: StillActive::VERSION at emit time
+    def render(result:, ruby_info:, lockfile_path:, tool_version:)
+      lockfile_content = File.read(lockfile_path)
+      line_index = LockfileIndexer.gem_line_index(lockfile_content)
+      ruby_line = LockfileIndexer.ruby_version_line(lockfile_content)
+      lockfile_uri = File.basename(lockfile_path)
+
+      results = build_results(
+        report: result,
+        ruby_info: ruby_info,
+        line_index: line_index,
+        ruby_line: ruby_line,
+        lockfile_uri: lockfile_uri,
+      )
+
+      JSON.pretty_generate(document(results: results, tool_version: tool_version))
+    end
+
+    private
+
+    def document(results:, tool_version:)
+      {
+        "$schema" => SARIF_SCHEMA,
+        "version" => "2.1.0",
+        "runs" => [{
+          "tool" => {
+            "driver" => {
+              "name" => TOOL_NAME,
+              "semanticVersion" => tool_version,
+              "informationUri" => TOOL_URI,
+              "rules" => sarif_rules,
+            },
+          },
+          "originalUriBaseIds" => { "%SRCROOT%" => { "uri" => "file:///" } },
+          "results" => results,
+          "columnKind" => "utf16CodeUnits",
+        }],
+      }
+    end
+
+    def sarif_rules
+      Sarif::Rules.all.map { |r| sarif_rule(r) }
+    end
+
+    def sarif_rule(r)
+      properties = { "tags" => r[:tags], "precision" => "high" }
+      properties["security-severity"] = r[:security_severity] if r[:security_severity]
+      {
+        "id" => r[:id],
+        "name" => r[:name],
+        "shortDescription" => { "text" => r[:short] },
+        "fullDescription" => { "text" => r[:full] },
+        "help" => { "text" => r[:help_text], "markdown" => r[:help_markdown] },
+        "helpUri" => Sarif::Rules.help_uri(r[:id]),
+        "defaultConfiguration" => { "level" => r[:level] },
+        "properties" => properties,
+      }
+    end
+
+    def build_results(report:, ruby_info:, line_index:, ruby_line:, lockfile_uri:)
+      results = []
+      report.each do |gem_name, data|
+        results.concat(gem_results(gem_name.to_s, data, line_index, lockfile_uri))
+      end
+      results << ruby_eol_result(ruby_info, ruby_line, lockfile_uri) if ruby_info && ruby_info[:eol]
+      results
+    end
+
+    def gem_results(name, data, line_index, lockfile_uri)
+      out = []
+      version = data[:version_used]
+      location = location_for(name, line_index, lockfile_uri)
+
+      if data[:archived]
+        out << result("SA001", name, "#{name} #{version}: upstream repository is archived#{repo_suffix(data)}.", location)
+      end
+
+      unless data[:archived]
+        last_commit = parse_time(data[:last_commit_date])
+        if last_commit && last_commit < (Time.now - ABANDONED_SECONDS)
+          years = ((Time.now - last_commit) / (365 * 24 * 60 * 60)).round(1)
+          out << result(
+            "SA002",
+            name,
+            "#{name} #{version}: no commits in #{years} years (last #{last_commit.utc.strftime("%Y-%m-%d")}).",
+            location,
+          )
+        end
+      end
+
+      Array(data[:vulnerabilities]).each do |vuln|
+        out << vulnerability_result(name, version, vuln, location)
+      end
+
+      if data[:libyear] && data[:libyear] > LIBYEAR_THRESHOLD
+        latest = data[:latest_version] ? " behind #{data[:latest_version]}" : ""
+        out << result("SA004", name, "#{name} #{version}: #{data[:libyear]} libyears#{latest}.", location)
+      end
+
+      if data[:scorecard_score] && data[:scorecard_score] < SCORECARD_LOW_THRESHOLD
+        out << result("SA005", name, "#{name} #{version}: OpenSSF Scorecard #{data[:scorecard_score]}/10 (low).", location)
+      end
+
+      if data[:version_yanked]
+        out << result("SA007", name, "#{name} #{version}: this version has been yanked from RubyGems.", location)
+      end
+
+      out
+    end
+
+    def vulnerability_result(name, version, vuln, location)
+      score = vuln[:cvss3_score] || vuln[:cvss2_score]
+      level = Sarif::Rules.cvss_to_level(score)
+      severity = Sarif::Rules.cvss_to_security_severity(score)
+      advisory_id = vuln[:id] || Array(vuln[:aliases]).first || "unknown"
+      aliases = Array(vuln[:aliases]).first(3).join(", ")
+      alias_suffix = aliases.empty? ? "" : " [#{aliases}]"
+      title = vuln[:title] ? ": #{vuln[:title]}" : ""
+
+      base = result(
+        "SA003",
+        name,
+        "#{name} #{version}: #{advisory_id}#{title}#{alias_suffix}.",
+        location,
+        level: level,
+        fp_extra: advisory_id,
+      )
+      base["properties"] = { "security-severity" => severity } if severity
+      base
+    end
+
+    def ruby_eol_result(ruby_info, ruby_line, lockfile_uri)
+      version = ruby_info[:version]
+      eol_part = ruby_info[:eol_date] ? " (EOL #{format_date(ruby_info[:eol_date])})" : ""
+      latest_part = ruby_info[:latest_version] ? " Latest is #{ruby_info[:latest_version]}." : ""
+      base = {
+        "ruleId" => "SA006",
+        "ruleIndex" => rule_index("SA006"),
+        "level" => "error",
+        "message" => { "text" => "Ruby #{version} has reached end-of-life#{eol_part}.#{latest_part}" },
+        "locations" => [{
+          "physicalLocation" => {
+            "artifactLocation" => { "uri" => lockfile_uri, "uriBaseId" => "%SRCROOT%" },
+            "region" => { "startLine" => ruby_line },
+          },
+        }],
+      }
+      apply_fingerprint(base, fingerprint("SA006", "ruby"))
+    end
+
+    def result(rule_id, gem_name, message, location, level: nil, fp_extra: nil)
+      level ||= Sarif::Rules.find(rule_id)[:level]
+      base = {
+        "ruleId" => rule_id,
+        "ruleIndex" => rule_index(rule_id),
+        "level" => level,
+        "message" => { "text" => message },
+        "locations" => [location],
+      }
+      apply_fingerprint(base, fingerprint(rule_id, gem_name, fp_extra))
+    end
+
+    def apply_fingerprint(result, fp)
+      result["partialFingerprints"] = {
+        "primaryLocationLineHash" => fp,
+        "stillActiveFinding/v1" => fp,
+      }
+      result
+    end
+
+    def location_for(gem_name, line_index, lockfile_uri)
+      {
+        "physicalLocation" => {
+          "artifactLocation" => { "uri" => lockfile_uri, "uriBaseId" => "%SRCROOT%" },
+          "region" => { "startLine" => line_index[gem_name] || 1 },
+        },
+      }
+    end
+
+    def fingerprint(rule_id, gem_name, advisory_id = nil)
+      Digest::SHA256.hexdigest(["v1", rule_id, gem_name, advisory_id].compact.join("|"))[0, 16]
+    end
+
+    def rule_index(rule_id)
+      Sarif::Rules.all.index { |r| r[:id] == rule_id }
+    end
+
+    def parse_time(value)
+      return value if value.is_a?(Time)
+      return if value.nil?
+
+      Time.parse(value.to_s)
+    rescue ArgumentError, TypeError, RangeError
+      nil
+    end
+
+    def format_date(value)
+      t = parse_time(value)
+      t ? t.utc.strftime("%Y-%m-%d") : value.to_s
+    end
+
+    def repo_suffix(data)
+      data[:repository_url] ? " (#{data[:repository_url]})" : ""
+    end
+  end
+end

data/lib/still_active/cli.rb

@@ -1,10 +1,13 @@
 # frozen_string_literal: true
 
 require_relative "options"
+require_relative "diff"
 require_relative "../helpers/activity_helper"
 require_relative "../helpers/bundler_helper"
+require_relative "../helpers/diff_markdown_helper"
 require_relative "../helpers/emoji_helper"
 require_relative "../helpers/markdown_helper"
+require_relative "../helpers/sarif_helper"
 require_relative "../helpers/terminal_helper"
 require_relative "../helpers/version_helper"
 require_relative "../helpers/vulnerability_helper"
@@ -27,15 +30,26 @@ module StillActive
 
       ruby_info = Workflow.ruby_freshness
 
-      case resolve_format
-      when :json
-        output = { gems: result }
-        output[:ruby] = ruby_info if ruby_info
-        puts output.to_json
-      when :terminal
-        puts TerminalHelper.render(result, ruby_info: ruby_info)
-      when :markdown
-        render_markdown(result, ruby_info: ruby_info)
+      if (baseline_path = StillActive.config.baseline_path)
+        emit_diff(result, ruby_info, baseline_path)
+      elsif (sarif_path = StillActive.config.sarif_path)
+        emit_sarif(result, ruby_info, sarif_path)
+      else
+        case resolve_format
+        when :json
+          output = {
+            schema_version: 1,
+            tool: { name: "still_active", version: StillActive::VERSION },
+            generated_at: Time.now.utc.iso8601,
+            gems: result,
+          }
+          output[:ruby] = ruby_info if ruby_info
+          puts output.to_json
+        when :terminal
+          puts TerminalHelper.render(result, ruby_info: ruby_info)
+        when :markdown
+          render_markdown(result, ruby_info: ruby_info)
+        end
       end
 
       check_exit_status(result)
@@ -43,6 +57,62 @@ module StillActive
 
     private
 
+    def emit_sarif(result, ruby_info, sarif_path)
+      lockfile = resolve_lockfile_path(StillActive.config.gemfile_path)
+      unless File.exist?(lockfile)
+        $stderr.puts("error: --sarif requires a lockfile at #{lockfile}")
+        exit(2)
+      end
+
+      sarif_json = SarifHelper.render(
+        result: result,
+        ruby_info: ruby_info,
+        lockfile_path: lockfile,
+        tool_version: StillActive::VERSION,
+      )
+
+      if sarif_path == "-"
+        puts sarif_json
+      else
+        File.write(sarif_path, sarif_json)
+      end
+    end
+
+    # Mirrors Bundler's convention: gems.rb -> gems.locked, otherwise <gemfile>.lock.
+    def resolve_lockfile_path(gemfile)
+      return gemfile.sub(/gems\.rb\z/, "gems.locked") if gemfile.end_with?("gems.rb")
+
+      "#{gemfile}.lock"
+    end
+
+    def emit_diff(result, ruby_info, baseline_path)
+      current = current_snapshot(result, ruby_info)
+      baseline = JSON.parse(File.read(baseline_path))
+      diff = Diff.call(baseline: baseline, current: current)
+      puts DiffMarkdownHelper.render(diff)
+      exit(1) if diff.regressions.any?
+    rescue JSON::ParserError => e
+      $stderr.puts("error: --baseline file is not valid JSON: #{e.message}")
+      exit(2)
+    rescue Diff::UnsupportedSchemaError => e
+      $stderr.puts("error: #{e.message}")
+      exit(2)
+    rescue Errno::ENOENT, Errno::EACCES, Errno::EISDIR => e
+      $stderr.puts("error: cannot read baseline file: #{e.message}")
+      exit(2)
+    end
+
+    def current_snapshot(result, ruby_info)
+      snapshot = {
+        "schema_version" => 1,
+        "tool" => { "name" => "still_active", "version" => StillActive::VERSION },
+        "generated_at" => Time.now.utc.iso8601,
+        "gems" => JSON.parse(result.to_json),
+      }
+      snapshot["ruby"] = JSON.parse(ruby_info.to_json) if ruby_info
+      snapshot
+    end
+
     def resolve_format
       format = StillActive.config.output_format
       return format unless format == :auto

data/lib/still_active/config.rb

@@ -2,23 +2,25 @@
 
 require "bundler"
 require "octokit"
+require "open3"
 
 module StillActive
   class Config
-    attr_accessor :critical_warning_emoji,
+    attr_writer :github_oauth_token, :gitlab_token
+    attr_accessor :baseline_path,
+      :critical_warning_emoji,
       :fail_if_critical,
       :fail_if_warning,
       :futurist_emoji,
       :gemfile_path,
       :gems,
-      :github_oauth_token,
-      :gitlab_token,
       :fail_if_outdated,
       :fail_if_vulnerable,
       :ignored_gems,
       :output_format,
       :parallelism,
       :no_warning_range_end,
+      :sarif_path,
       :success_emoji,
       :unsure_emoji,
       :warning_emoji,
@@ -32,12 +34,14 @@ module StillActive
       @gemfile_path = Bundler.default_gemfile.to_s
       @gems = []
       @ignored_gems = []
-      @github_oauth_token = ENV["GITHUB_TOKEN"]
-      @gitlab_token = ENV["GITLAB_TOKEN"]
+      @github_oauth_token = nil
+      @gitlab_token = nil
 
       @parallelism = 10
 
       @output_format = :auto
+      @sarif_path = nil
+      @baseline_path = nil
 
       @critical_warning_emoji = "🚩"
       @futurist_emoji = "🔮"
@@ -53,5 +57,52 @@ module StillActive
       @github_client ||=
         Octokit::Client.new(access_token: github_oauth_token)
     end
+
+    def github_oauth_token
+      @github_oauth_token ||= presence(ENV["GITHUB_TOKEN"]) || presence(ENV["GH_TOKEN"]) || gh_cli_token
+    end
+
+    def gitlab_token
+      @gitlab_token ||= presence(ENV["GITLAB_TOKEN"]) || glab_cli_token
+    end
+
+    private
+
+    def gh_cli_token
+      stdout, stderr, status = Open3.capture3("gh", "auth", "token")
+      if status.success?
+        token = presence(stdout.strip)
+        return token if token
+
+        warn("warning: `gh auth token` returned empty output")
+      else
+        warn("warning: `gh auth token` failed: #{stderr.strip}")
+      end
+      nil
+    rescue Errno::ENOENT
+      nil
+    end
+
+    def glab_cli_token
+      # Scope to gitlab.com to match GitlabClient::BASE_URI. Users on self-hosted
+      # GitLab still_active doesn't query anyway; if they need it, set GITLAB_TOKEN.
+      _stdout, stderr, status = Open3.capture3("glab", "auth", "status", "--hostname=gitlab.com", "--show-token")
+      unless status.success?
+        warn("warning: `glab auth status` failed: #{stderr.strip}")
+        return
+      end
+
+      match = stderr.match(/Token:\s*(\S+)/)
+      return match[1] if match
+
+      warn("warning: `glab auth status` did not return a Token line")
+      nil
+    rescue Errno::ENOENT
+      nil
+    end
+
+    def presence(value)
+      value && !value.empty? ? value : nil
+    end
   end
 end

data/lib/still_active/diff.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+module StillActive
+  # Compares two still_active JSON snapshots and produces a structured Diff.
+  # Designed for PR review: surfaces regressions (CI-failable deltas) on top
+  # of the full added/removed/bumped breakdown.
+  #
+  # Schema versions accepted: see SUPPORTED_SCHEMA_VERSIONS. A snapshot with
+  # a higher schema_version is rejected loudly rather than silently parsed.
+  module Diff
+    SUPPORTED_SCHEMA_VERSIONS = [1].freeze
+
+    SCORECARD_DROP_THRESHOLD = 1.0      # absolute drop to flag
+    SCORECARD_GOOD_THRESHOLD = 7.0      # categorical threshold (good -> below-good)
+    NEW_GEM_LIBYEAR_THRESHOLD = 0.5     # added gems already this far behind regress
+    LIBYEAR_DELTA_THRESHOLD = 0.01      # floating-point fuzz
+
+    class UnsupportedSchemaError < StandardError; end
+
+    Added = Struct.new(:name, :data, keyword_init: true)
+    Removed = Struct.new(:name, :data, keyword_init: true)
+    Bumped = Struct.new(:name, :before_version, :after_version, :kind, :before, :after, keyword_init: true)
+    SignalChange = Struct.new(:name, :changes, :before, :after, keyword_init: true)
+    Regression = Struct.new(:kind, :gem, :detail, keyword_init: true)
+    Result = Struct.new(:added, :removed, :bumped, :signal_changes, :regressions, :ruby, keyword_init: true)
+
+    extend self
+
+    def call(baseline:, current:)
+      validate_schema!(baseline, "baseline")
+      validate_schema!(current, "current")
+
+      b_gems = baseline.fetch("gems", {})
+      c_gems = current.fetch("gems", {})
+
+      added = (c_gems.keys - b_gems.keys).sort.map { |n| Added.new(name: n, data: c_gems[n]) }
+      removed = (b_gems.keys - c_gems.keys).sort.map { |n| Removed.new(name: n, data: b_gems[n]) }
+
+      bumped = []
+      signal_changes = []
+      (b_gems.keys & c_gems.keys).sort.each do |name|
+        before = b_gems[name]
+        after = c_gems[name]
+        if before["version_used"] != after["version_used"]
+          bumped << Bumped.new(
+            name: name,
+            before_version: before["version_used"],
+            after_version: after["version_used"],
+            kind: classify_bump(before, after),
+            before: before,
+            after: after,
+          )
+        end
+        changes = collect_signal_changes(before, after)
+        signal_changes << SignalChange.new(name: name, changes: changes, before: before, after: after) if changes.any?
+      end
+
+      ruby = ruby_delta(baseline["ruby"], current["ruby"])
+      regressions = collect_regressions(
+        added: added,
+        bumped: bumped,
+        signal_changes: signal_changes,
+        ruby_delta: ruby,
+      )
+
+      Result.new(
+        added: added,
+        removed: removed,
+        bumped: bumped,
+        signal_changes: signal_changes,
+        regressions: regressions,
+        ruby: ruby,
+      )
+    end
+
+    def validate_schema!(snapshot, role)
+      version = snapshot["schema_version"]
+      return if SUPPORTED_SCHEMA_VERSIONS.include?(version)
+
+      raise UnsupportedSchemaError, "#{role} has schema_version=#{version.inspect}; supported: #{SUPPORTED_SCHEMA_VERSIONS.join(", ")}"
+    end
+
+    # Categorises a version bump:
+    # - :introduced_vulns  - new advisories appeared on the resolved version
+    # - :closed_vulns      - all advisories cleared
+    # - :older_relative    - libyear-to-latest grew (rare; usually unchanged)
+    # - :fresher           - libyear-to-latest shrank
+    # - :neutral           - no obvious signal change
+    def classify_bump(before, after)
+      opened = vuln_count(after) - vuln_count(before)
+      return :introduced_vulns if opened.positive?
+      return :closed_vulns if opened.negative?
+
+      delta = (after["libyear"] || 0.0) - (before["libyear"] || 0.0)
+      return :older_relative if delta > LIBYEAR_DELTA_THRESHOLD
+      return :fresher if delta < -LIBYEAR_DELTA_THRESHOLD
+
+      :neutral
+    end
+
+    def collect_signal_changes(before, after)
+      changes = []
+
+      if !before["archived"] && after["archived"]
+        changes << { kind: :archived, from: false, to: true }
+      end
+
+      opened = vuln_count(after) - vuln_count(before)
+      if opened.positive? && before["version_used"] == after["version_used"]
+        # Set difference is enough for the common case. Edge case: an advisory
+        # backfilled with a CVE alias alongside an existing GHSA can show up as
+        # "new" in this list even though it's a re-keying of the same issue.
+        # The vulnerability_count gate above keeps that to detail-string noise.
+        new_ids = advisory_ids(after) - advisory_ids(before)
+        changes << { kind: :new_vulnerability, from: vuln_count(before), to: vuln_count(after), ids: new_ids.first(3) }
+      end
+
+      if before["scorecard_score"] && after["scorecard_score"]
+        drop = before["scorecard_score"] - after["scorecard_score"]
+        # OSSF treats >= 7.0 as "good". A score landing at 7.0 stays good (a 7.5
+        # -> 7.0 dip is noise within the safe zone). Only drops below 7.0 cross.
+        crossed = before["scorecard_score"] >= SCORECARD_GOOD_THRESHOLD && after["scorecard_score"] < SCORECARD_GOOD_THRESHOLD
+        if drop >= SCORECARD_DROP_THRESHOLD || crossed
+          changes << { kind: :scorecard_dropped, from: before["scorecard_score"], to: after["scorecard_score"], crossed_good: crossed }
+        end
+      end
+
+      if before["libyear"] && after["libyear"] && before["version_used"] == after["version_used"]
+        # Same pinned version + libyear grew = upstream released and we didn't
+        # follow. That IS a regression. If version_used moved forward we deliberately
+        # don't flag — moving forward isn't a PR regression even when libyear-to-latest
+        # technically grows (because upstream is releasing faster).
+        delta = after["libyear"] - before["libyear"]
+        if delta > LIBYEAR_DELTA_THRESHOLD
+          changes << { kind: :libyear_worsened, from: before["libyear"], to: after["libyear"], delta: delta.round(2) }
+        end
+      end
+
+      if !before["version_yanked"] && after["version_yanked"]
+        changes << { kind: :version_yanked }
+      end
+
+      changes
+    end
+
+    def collect_regressions(added:, bumped:, signal_changes:, ruby_delta:)
+      regs = []
+
+      added.each do |a|
+        data = a.data
+        if vuln_count(data).positive?
+          regs << Regression.new(kind: :new_gem_with_vulns, gem: a.name, detail: "#{vuln_count(data)} vulns at introduction")
+        elsif data["archived"]
+          regs << Regression.new(kind: :new_gem_archived, gem: a.name, detail: "added gem points at archived repo")
+        elsif data["libyear"] && data["libyear"] > NEW_GEM_LIBYEAR_THRESHOLD
+          regs << Regression.new(kind: :new_gem_stale, gem: a.name, detail: "added gem already #{data["libyear"]} libyears behind latest")
+        end
+      end
+
+      bumped.each do |b|
+        if b.kind == :introduced_vulns
+          regs << Regression.new(
+            kind: :bump_introduced_vulns,
+            gem: b.name,
+            detail: "#{b.before_version} -> #{b.after_version}",
+          )
+        end
+      end
+
+      signal_changes.each do |sc|
+        sc.changes.each do |ch|
+          case ch[:kind]
+          when :archived
+            regs << Regression.new(kind: :archived, gem: sc.name, detail: "repo archived since baseline")
+          when :new_vulnerability
+            ids = Array(ch[:ids]).join(", ")
+            regs << Regression.new(kind: :new_vulnerability, gem: sc.name, detail: "#{ch[:from]} -> #{ch[:to]}#{" (#{ids})" unless ids.empty?}")
+          when :scorecard_dropped
+            note = ch[:crossed_good] ? " crossed #{SCORECARD_GOOD_THRESHOLD}" : ""
+            regs << Regression.new(kind: :scorecard_dropped, gem: sc.name, detail: "#{ch[:from]} -> #{ch[:to]}#{note}")
+          when :version_yanked
+            regs << Regression.new(kind: :version_yanked, gem: sc.name, detail: "pinned version yanked from rubygems")
+          when :libyear_worsened
+            regs << Regression.new(
+              kind: :libyear_worsened,
+              gem: sc.name,
+              detail: "libyear #{ch[:from]} -> #{ch[:to]} (+#{ch[:delta]}y; same pinned version)",
+            )
+          end
+        end
+      end
+
+      if ruby_delta && ruby_delta[:newly_eol]
+        regs << Regression.new(kind: :ruby_eol_introduced, gem: "(ruby)", detail: "Ruby #{ruby_delta[:to]} is now EOL")
+      end
+
+      regs
+    end
+
+    def ruby_delta(before, after)
+      return if before.nil? && after.nil?
+
+      before ||= {}
+      after ||= {}
+      {
+        version_changed: before["version"] != after["version"],
+        from: before["version"],
+        to: after["version"],
+        newly_eol: !before["eol"] && !!after["eol"],
+        libyear_before: before["libyear"],
+        libyear_after: after["libyear"],
+      }
+    end
+
+    def vuln_count(data)
+      data["vulnerability_count"].to_i
+    end
+
+    def advisory_ids(data)
+      Array(data["vulnerabilities"]).flat_map { |v| [v["id"], *Array(v["aliases"])].compact }.uniq
+    end
+  end
+end

data/lib/still_active/options.rb

@@ -34,6 +34,9 @@ module StillActive
 
     def validate_options
       raise ArgumentError, "provide gemfile or gems, not both" if options[:provided_gemfile] && options[:provided_gems]
+      if options[:provided_baseline] && !File.exist?(StillActive.config.baseline_path)
+        raise ArgumentError, "baseline file not found: #{StillActive.config.baseline_path}"
+      end
     end
 
     def add_gemfile_option(opts)
@@ -60,6 +63,13 @@ module StillActive
       opts.on("--terminal", "Coloured terminal output (default in TTY)") { StillActive.config { |config| config.output_format = :terminal } }
       opts.on("--markdown", "Markdown table output") { StillActive.config { |config| config.output_format = :markdown } }
       opts.on("--json", "JSON output (default when piped)") { StillActive.config { |config| config.output_format = :json } }
+      opts.on("--sarif[=PATH]", "SARIF 2.1.0 output for GitHub Code Scanning (default path: still_active.sarif.json; '-' for stdout). Overrides --terminal/--markdown/--json.") do |value|
+        StillActive.config { |config| config.sarif_path = value || "still_active.sarif.json" }
+      end
+      opts.on("--baseline=PATH", String, "Compare current state to baseline still_active JSON; emit markdown deltas. Exits 1 on regressions.") do |value|
+        options[:provided_baseline] = true
+        StillActive.config { |config| config.baseline_path = value }
+      end
     end
 
     def add_token_options(opts)

data/lib/still_active/sarif/rules.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+module StillActive
+  module Sarif
+    # Catalog of SARIF rules emitted by still_active. Rule IDs (SA001-SA007)
+    # are stable across versions; renames or removals are breaking changes.
+    #
+    # Each rule maps a still_active finding into a SARIF result. Security
+    # rules carry a numeric `security_severity` (string per SARIF spec) so
+    # GitHub Code Scanning buckets them as Critical/High/Medium/Low.
+    module Rules
+      extend self
+
+      DOCS_BASE = "https://github.com/SeanLF/still_active/blob/main/docs/rules.md"
+
+      def help_uri(rule_id)
+        "#{DOCS_BASE}##{rule_id.downcase}"
+      end
+
+      # CVSS 0-10 -> SARIF level. Per GitHub Code Scanning convention,
+      # scores >= 7.0 map to error, 4.0-6.9 to warning, below 4.0 to note.
+      def cvss_to_level(score)
+        return "note" if score.nil?
+        return "error" if score >= 7.0
+        return "warning" if score >= 4.0
+
+        "note"
+      end
+
+      # SARIF security-severity must be a string with one decimal place.
+      def cvss_to_security_severity(score)
+        return if score.nil?
+
+        format("%.1f", score)
+      end
+
+      RAW_RULES = [
+        {
+          id: "SA001",
+          name: "ArchivedRepository",
+          short: "Gem source repository is archived",
+          full: "The gem's upstream repository has been marked archived. No further fixes — including security patches — should be expected.",
+          help_text: "Look for a maintained fork or alternative. If you must keep the gem, vendor or fork it so you can apply patches yourself.",
+          level: "error",
+          security_severity: "7.5",
+          tags: ["security", "supply-chain", "external/cwe/cwe-1357"],
+        },
+        {
+          id: "SA002",
+          name: "AbandonedGem",
+          short: "Gem has had no commits for over 2 years",
+          full: "The gem's source repository shows no commit activity for over 2 years. Not formally archived, but a strong dormancy signal.",
+          help_text: "Verify the gem still works on supported Ruby versions and consider a maintained alternative.",
+          level: "warning",
+          security_severity: nil,
+          tags: ["maintenance"],
+        },
+        {
+          id: "SA003",
+          name: "VulnerableGem",
+          short: "Gem has known vulnerabilities (via deps.dev / OSV)",
+          full: "deps.dev / OSV reports one or more advisories affecting the resolved version. Severity is mapped from CVSS where available.",
+          help_text: "Upgrade to a patched version. If no fix exists, evaluate the exploit path against your application's exposure.",
+          level: "error",
+          security_severity: "7.0", # default; per-result override from CVSS
+          tags: ["security", "vulnerability", "external/cwe/cwe-1104"],
+        },
+        {
+          id: "SA004",
+          name: "LibyearBehind",
+          short: "Gem is significantly behind the latest release",
+          full: "Libyear measures how far behind the latest release a dependency is, in fractional years. High libyear values correlate with painful upgrades and missed security backports.",
+          help_text: "Schedule an upgrade. `bundle update <gem>` is your friend.",
+          level: "warning",
+          security_severity: nil,
+          tags: ["maintenance", "libyear"],
+        },
+        {
+          id: "SA005",
+          name: "LowOpenSSFScore",
+          short: "Gem's OpenSSF Scorecard is low",
+          full: "The OpenSSF Scorecard aggregates supply-chain hygiene signals. Low scores indicate weak supply-chain posture, not active vulnerability.",
+          help_text: "Treat as a risk signal, especially for direct dependencies.",
+          level: "note",
+          security_severity: nil,
+          tags: ["supply-chain", "openssf"],
+        },
+        {
+          id: "SA006",
+          name: "RubyEOL",
+          short: "Ruby runtime has reached end-of-life",
+          full: "The Ruby version in Gemfile.lock is past its endoflife.date EOL — no further security releases are expected.",
+          help_text: "Upgrade Ruby. Stay on a release branch still receiving patches.",
+          level: "error",
+          security_severity: "8.5",
+          tags: ["security", "runtime", "external/cwe/cwe-1104"],
+        },
+        {
+          id: "SA007",
+          name: "YankedVersion",
+          short: "Resolved gem version has been yanked from RubyGems",
+          full: "The version resolved in Gemfile.lock has been yanked by the gem owner, typically for a serious bug or vulnerability.",
+          help_text: "Update Gemfile.lock to a non-yanked version immediately.",
+          level: "error",
+          security_severity: "8.0",
+          tags: ["security", "supply-chain", "external/cwe/cwe-1104"],
+        },
+      ].freeze
+
+      CATALOG = RAW_RULES.map do |r|
+        r.merge(
+          tags: r[:tags].dup.freeze,
+          help_markdown: "#{r[:help_text]}\n\nSee [#{r[:id]} docs](#{help_uri(r[:id])}) for full guidance.",
+        ).freeze
+      end.freeze
+
+      def all
+        CATALOG
+      end
+
+      def find(id)
+        CATALOG.find { |r| r[:id] == id }
+      end
+    end
+  end
+end

data/lib/still_active/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module StillActive
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end

data/still_active.gemspec

@@ -38,6 +38,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency("debug")
   spec.add_development_dependency("faker")
+  spec.add_development_dependency("json_schemer")
   spec.add_development_dependency("rubocop")
   spec.add_development_dependency("rubocop-performance")
   spec.add_development_dependency("rubocop-rspec")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: still_active
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Sean Floyd
@@ -37,6 +37,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: json_schemer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -185,11 +199,14 @@ files:
 - lib/helpers/activity_helper.rb
 - lib/helpers/ansi_helper.rb
 - lib/helpers/bundler_helper.rb
+- lib/helpers/diff_markdown_helper.rb
 - lib/helpers/emoji_helper.rb
 - lib/helpers/http_helper.rb
 - lib/helpers/libyear_helper.rb
+- lib/helpers/lockfile_indexer.rb
 - lib/helpers/markdown_helper.rb
 - lib/helpers/ruby_helper.rb
+- lib/helpers/sarif_helper.rb
 - lib/helpers/terminal_helper.rb
 - lib/helpers/version_helper.rb
 - lib/helpers/vulnerability_helper.rb
@@ -198,9 +215,11 @@ files:
 - lib/still_active/config.rb
 - lib/still_active/core_ext.rb
 - lib/still_active/deps_dev_client.rb
+- lib/still_active/diff.rb
 - lib/still_active/gitlab_client.rb
 - lib/still_active/options.rb
 - lib/still_active/repository.rb
+- lib/still_active/sarif/rules.rb
 - lib/still_active/version.rb
 - lib/still_active/workflow.rb
 - still_active.gemspec
@@ -227,7 +246,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Audit your Ruby dependencies for maintenance health, outdated versions, vulnerabilities,
   and abandoned gems.