Exports — SARIF, CSV, SBOM
Vygl exports findings and dependency inventories in three formats. Each is designed for a specific downstream consumer.
CSV (findings)
Section titled “CSV (findings)”| Where | Findings list → CSV button |
|---|---|
| Format | RFC 4180 CSV, UTF-8 |
| Scope | Currently visible rows (default 50, max 200) |
| Columns | id, severity, status, title, file_path, line, rule_id, ai_verdict, created_at, package, version, cve_id, … |
Use for spreadsheet-based offline triage, ad-hoc reporting, and exec dashboards. Note: CSV exports the rows currently shown, not “all matching the filter” — for large datasets, paginate or use SARIF.
SARIF 2.1.0 (findings)
Section titled “SARIF 2.1.0 (findings)”| Where | Findings list → SARIF button |
|---|---|
| Format | SARIF 2.1.0 JSON |
| Scope | All findings matching current filters |
| Hard cap | 25,000 findings — narrow filters if you exceed |
SARIF is the industry-standard format for static-analysis output. Compatible with:
- GitHub Code Scanning (upload via GitHub Actions for in-PR annotations)
- Azure DevOps code scanning
- JFrog Xray
- Any tool that ingests SARIF
Mappings Vygl applies:
- Severity → SARIF level:
critical/high→error,medium→warning,low/info→note. - CVSS numeric value →
properties.security-severity(so consumers that prioritize by CVSS read the right number). - KEV / EPSS / CVSS surface as result properties (
vigil/kev,vigil/epss_score,vigil/cvss_score) and as rule tags (kev,epss-high). - Triage state —
false_positiveandignoredrender as SARIFsuppressions;fixedandauto_fixedsetbaselineState: absentso re-uploads close the issue downstream. - Every result carries
partialFingerprints.vigilFingerprintV1— Vigil’s stable dedup hash — so consumers can track findings across branches.
helpUri priority: OSV → NVD → CWE → omitted. URLs are real; Vygl never fabricates them.
Snippets in secrets findings are stripped by default to prevent raw secret leakage. Pass include_snippets=true to override (typically only for local debugging).
SBOM (CycloneDX 1.5)
Section titled “SBOM (CycloneDX 1.5)”| Where | Dependencies page → Download SBOM, or per-project detail |
|---|---|
| Format | CycloneDX 1.5 JSON |
| Scope | Per-project / per-branch, or org-wide (respects current filters) |
CycloneDX is the OWASP-standard SBOM format. Vygl’s export includes:
- Components — every dependency as a CycloneDX
componentwith PURL, version, license (when available). - Vulnerabilities — known CVEs matched against the dependency.
- Metadata — project name, scan timestamp, tool identifier (
vygl).
Use for supply-chain audits (SOC 2, ISO 27001, FedRAMP), regulatory submissions, and customer security questionnaires.
Audit trail for exports
Section titled “Audit trail for exports”Every export action is logged to the audit log:
finding.export— CSV or SARIF download with the active filter and resulting count.project.sbom_download— SBOM download with format and scope.
Useful for compliance evidence (“we ran a SARIF export on YYYY-MM-DD before the audit”).
What’s not in exports
Section titled “What’s not in exports”- Raw source files — only snippet excerpts (≤3000 chars per finding) are included.
- Comments and triage notes — the triage history is in Vygl, not in the export. SARIF exports do encode current triage state via suppressions and baselineState.
- AI consultation transcripts — chat logs are stored in Vygl only; not exported.
For deeper data, the REST API returns the full structured representation of every finding, dependency, and scan.