kafkacode 1.3.0 → 1.4.1

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project are documented in this file.
 
+## [1.4.0] - 2026-06-05
+
+### Added
+- Machine-readable output: `--format json` and `--format sarif`.
+- SARIF 2.1.0 integrates with GitHub code scanning (Security tab + inline PR annotations).
+- `--output <file>` writes the report to a file instead of stdout.
+- `--no-fail` exits `0` even when issues are found (useful when uploading SARIF).
+
 ## [1.3.0] - 2026-06-05
 
 ### Added

package/README.md

@@ -16,7 +16,7 @@ a clear **A+ → F privacy grade**, and CI-ready exit codes. Runs in seconds.
 [![node](https://img.shields.io/node/v/kafkacode.svg?color=339933&logo=node.js)](package.json)
 [![PRs welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](CONTRIBUTING.md)
 
-[Quickstart](#-quickstart) · [Features](#-features) · [Example](#-example-output) · [CI/CD](#-cicd-integration) · [How it works](#-how-it-works) · [Contributing](#-contributing)
+[📖 Documentation](https://nikhil-kapu.github.io/kafkacode/) · [Quickstart](#-quickstart) · [Features](#-features) · [CI/CD](#-cicd-integration) · [Contributing](#-contributing)
 
 </div>
 
@@ -195,7 +195,7 @@ deep secret scanners rather than replacing them.
 ## 🗺️ Roadmap
 
 - [x] **Bring-your-own-key AI** — call Groq / OpenAI-compatible providers directly
-- [ ] `--json` and **SARIF** output (GitHub Security tab integration)
+- [x] **`--json` & SARIF output** — SARIF integrates with the GitHub Security tab
 - [ ] Config file &amp; `.kafkacodeignore`
 - [ ] Baseline file to adopt on existing codebases
 - [ ] More file types (`.env`, YAML, Terraform, Dockerfiles)

package/dist/ReportGenerator.js

@@ -1,4 +1,10 @@
 const chalk = require('chalk');
+const path = require('path');
+
+let VERSION = '0.0.0';
+try {
+    VERSION = require('../package.json').version;
+} catch (_) { /* fall back to the default */ }
 
 class ReportGenerator {
     constructor() {
@@ -66,6 +72,94 @@ class ReportGenerator {
         return { grade, url, markdown: `![Privacy Grade: ${grade}](${url})` };
     }
 
+    // Public: render findings as a structured JSON report.
+    generateJson(scanDir, findings, fileCount) {
+        const severityCounts = { Critical: 0, High: 0, Medium: 0, Low: 0 };
+        for (const f of findings) {
+            const s = f.severity || 'Low';
+            if (Object.prototype.hasOwnProperty.call(severityCounts, s)) severityCounts[s]++;
+        }
+        const cwd = process.cwd();
+        const rel = (p) => (p ? path.relative(cwd, p).split(path.sep).join('/') : '');
+        const report = {
+            tool: 'kafkacode',
+            version: VERSION,
+            directory: scanDir,
+            timestamp: this.reportTime.toISOString(),
+            summary: {
+                filesScanned: fileCount,
+                totalIssues: findings.length,
+                grade: this._calculateGrade(findings),
+                severityCounts
+            },
+            findings: findings.map((f) => ({
+                file: rel(f.file_path),
+                line: f.line_number || 0,
+                severity: f.severity || 'Low',
+                type: f.finding_type || 'Issue',
+                description: f.description || '',
+                suggestion: f.suggestion || '',
+                source: f.source === 'llm' ? 'ai' : 'pattern',
+                snippet: f.code_snippet || ''
+            }))
+        };
+        return JSON.stringify(report, null, 2);
+    }
+
+    // Public: render findings as SARIF 2.1.0 (for GitHub code scanning).
+    generateSarif(findings) {
+        const cwd = process.cwd();
+        const rel = (p) => (p ? path.relative(cwd, p).split(path.sep).join('/') : 'unknown');
+        const levelFor = (sev) => {
+            if (sev === 'Critical' || sev === 'High') return 'error';
+            if (sev === 'Medium') return 'warning';
+            return 'note';
+        };
+        const slug = (s) => ((s || 'issue').toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/(^-|-$)/g, '') || 'issue');
+
+        const rules = new Map();
+        for (const f of findings) {
+            const id = slug(f.finding_type);
+            if (!rules.has(id)) {
+                rules.set(id, {
+                    id,
+                    name: f.finding_type || 'Issue',
+                    shortDescription: { text: f.finding_type || 'Issue' },
+                    defaultConfiguration: { level: levelFor(f.severity) }
+                });
+            }
+        }
+
+        const results = findings.map((f) => ({
+            ruleId: slug(f.finding_type),
+            level: levelFor(f.severity),
+            message: { text: f.description || 'Privacy issue detected' },
+            locations: [{
+                physicalLocation: {
+                    artifactLocation: { uri: rel(f.file_path) },
+                    region: { startLine: Math.max(1, f.line_number || 1) }
+                }
+            }]
+        }));
+
+        const sarif = {
+            $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+            version: '2.1.0',
+            runs: [{
+                tool: {
+                    driver: {
+                        name: 'KafkaCode',
+                        informationUri: 'https://github.com/nikhil-kapu/kafkacode',
+                        version: VERSION,
+                        rules: Array.from(rules.values())
+                    }
+                },
+                results
+            }]
+        };
+        return JSON.stringify(sarif, null, 2);
+    }
+
     _groupFindingsBySeverity(findings) {
         const groups = {};
         this.severityOrder.forEach(severity => {

package/dist/cli.js

@@ -12,7 +12,7 @@ const program = new Command();
 program
     .name('kafkacode')
     .description('KafkaCode - Privacy and Compliance Scanner')
-    .version('1.3.0');
+    .version('1.4.0');
 
 program
     .command('scan')
@@ -20,7 +20,10 @@ program
     .argument('<directory>', 'Path to the source code directory to scan')
     .option('-v, --verbose', 'Print verbose progress updates during the scan')
     .option('-b, --badge', 'Print a copy-paste privacy-grade badge for your README')
+    .option('-f, --format <format>', 'Output format: console, json, or sarif', 'console')
+    .option('-o, --output <file>', 'Write output to a file instead of stdout')
     .option('--no-ai', 'Disable AI-powered analysis (run pattern scan only)')
+    .option('--no-fail', 'Exit 0 even when issues are found')
     .action(async (directory, options) => {
         await runScan(directory, options);
     });
@@ -34,6 +37,13 @@ async function runScan(directory, options = {}) {
         process.exit(1);
     }
 
+    // Validate the output format before doing any work
+    const format = (options.format || 'console').toLowerCase();
+    if (!['console', 'json', 'sarif'].includes(format)) {
+        console.error(`Error: unknown --format '${options.format}'. Use 'console', 'json', or 'sarif'.`);
+        process.exit(1);
+    }
+
     if (verbose) {
         console.log('🚀 Starting KafkaCode privacy scan...');
     }
@@ -68,24 +78,39 @@ async function runScan(directory, options = {}) {
         }
         const findings = await analysisEngine.analyzeFiles(files);
 
-        // Generate and display report
-        const report = reportGenerator.generateReport(directory, findings, files.length);
-        console.log(report);
+        // Render the findings in the requested format (validated above)
+        let output;
+        if (format === 'json') {
+            output = reportGenerator.generateJson(directory, findings, files.length);
+        } else if (format === 'sarif') {
+            output = reportGenerator.generateSarif(findings);
+        } else {
+            output = reportGenerator.generateReport(directory, findings, files.length);
+        }
 
-        // Hint that AI analysis is available when it wasn't used.
-        if (options.ai !== false && !analysisEngine.aiEnabled()) {
-            console.log('💡 Tip: set KAFKACODE_API_KEY to enable AI-powered contextual analysis. See the README.\n');
+        // Write to a file, or print to stdout
+        if (options.output) {
+            fs.writeFileSync(options.output, output);
+            console.error(`✅ Wrote ${format} output to ${options.output}`);
+        } else {
+            console.log(output);
         }
 
-        // Optionally print a copy-paste privacy-grade badge for the user's README
-        if (options.badge) {
-            const badge = reportGenerator.getBadge(findings);
-            console.log('🏷️  Privacy Grade Badge — paste into your README:\n');
-            console.log(`    ${badge.markdown}\n`);
+        // Console-only extras — kept out of machine-readable output
+        if (format === 'console' && !options.output) {
+            if (options.ai !== false && !analysisEngine.aiEnabled()) {
+                console.log('💡 Tip: set KAFKACODE_API_KEY to enable AI-powered contextual analysis. See the README.\n');
+            }
+            if (options.badge) {
+                const badge = reportGenerator.getBadge(findings);
+                console.log('🏷️  Privacy Grade Badge — paste into your README:\n');
+                console.log(`    ${badge.markdown}\n`);
+            }
         }
 
-        // Return appropriate exit code
-        process.exit(findings.length > 0 ? 1 : 0);
+        // Exit non-zero when issues are found, unless --no-fail was passed
+        const shouldFail = options.fail !== false && findings.length > 0;
+        process.exit(shouldFail ? 1 : 0);
 
     } catch (error) {
         if (error.name === 'AbortError' || error.message.includes('aborted')) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kafkacode",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "description": "AI-powered privacy and compliance scanner - find PII leaks, hardcoded secrets, and compliance violations in your source code",
   "main": "dist/index.js",
   "bin": {