Skip to content

Exports — SARIF, CSV, SBOM

Vygl exports findings and dependency inventories in three formats. Each is designed for a specific downstream consumer.

WhereFindings list → CSV button.
FormatRFC 4180 CSV, UTF-8.
ScopeAll findings matching the active filter (built client-side by paginating the API; no row cap).
ColumnsSeverity, Type, Rule ID, Title, File, Line, Status, AI Verdict, Confidence, Project, Created.

Use for spreadsheet-based offline triage, ad-hoc reporting, and exec dashboards.

WhereFindings list → SARIF button.
FormatSARIF 2.1.0 JSON.
ScopeAll findings matching current filters.
Hard cap25,000 findings — the endpoint returns 413 above that. Narrow filters or paginate.

SARIF is the industry-standard format for static-analysis output. Compatible with:

  • GitHub Code Scanning (upload via GitHub Actions for in-PR annotations).
  • Azure DevOps code scanning.
  • JFrog Xray.
  • Any tool that ingests SARIF.

Mappings Vygl applies:

  • Severity → SARIF level: critical/higherror, mediumwarning, low/infonote.
  • CVSS numeric value → properties.security-severity (so consumers that prioritize by CVSS read the right number).
  • KEV / EPSS / CVSS surface as result properties (vigil/kev, vigil/epss_score, vigil/cvss_score) and as rule tags (kev, epss-high).
  • Triage statefalse_positive and ignored render as SARIF suppressions; fixed and auto_fixed set baselineState: absent so re-uploads close the issue downstream.
  • Every result carries partialFingerprints.vigilFingerprintV1 — Vygl’s stable dedup hash — so consumers can track findings across branches.
  • The full metadata.ai_verification block (verdict, confidence, reasoning, suggested fix) ships as result properties when AI verification has run.

helpUri priority: OSV → NVD → CWE → omitted. URLs are real; Vygl never fabricates them.

Snippets in secrets findings are stripped by default to prevent raw secret leakage. Pass include_snippets=true to override (typically only for local debugging).

WhereDependencies page → Download SBOM, or per-project detail.
FormatsCycloneDX 1.4 JSON, SPDX 2.3 JSON.
ScopePer-project / per-branch, or org-wide (respects current filters).

Pass format=cyclonedx or format=spdx to the SBOM endpoint to pick the format. Both contain:

  • Components — every dependency as a SBOM component with PURL, name, version, and license (when available).
  • Metadata — project name, scan timestamp, tool identifier (vygl).

Use for supply-chain audits (SOC 2, ISO 27001, FedRAMP), regulatory submissions, and customer security questionnaires.

  • Raw source files — only snippet excerpts (≤3000 chars per finding) are included.
  • Triage reasons and audit trail — current status is reflected in SARIF suppressions / baselineState; the full transition history lives in Vygl’s audit log.
  • AI consultation transcripts — chat logs are stored in Vygl only; not exported.

For deeper data, the REST API returns the full structured representation of every finding, dependency, and scan.