Exports — SARIF, CSV, SBOM
Vygl exports findings and dependency inventories in three formats. Each is designed for a specific downstream consumer.
CSV (findings)
Section titled “CSV (findings)”| Where | Findings list → CSV button. |
|---|---|
| Format | RFC 4180 CSV, UTF-8. |
| Scope | All findings matching the active filter (built client-side by paginating the API; no row cap). |
| Columns | Severity, Type, Rule ID, Title, File, Line, Status, AI Verdict, Confidence, Project, Created. |
Use for spreadsheet-based offline triage, ad-hoc reporting, and exec dashboards.
SARIF 2.1.0 (findings)
Section titled “SARIF 2.1.0 (findings)”| Where | Findings list → SARIF button. |
|---|---|
| Format | SARIF 2.1.0 JSON. |
| Scope | All findings matching current filters. |
| Hard cap | 25,000 findings — the endpoint returns 413 above that. Narrow filters or paginate. |
SARIF is the industry-standard format for static-analysis output. Compatible with:
- GitHub Code Scanning (upload via GitHub Actions for in-PR annotations).
- Azure DevOps code scanning.
- JFrog Xray.
- Any tool that ingests SARIF.
Mappings Vygl applies:
- Severity → SARIF level:
critical/high→error,medium→warning,low/info→note. - CVSS numeric value →
properties.security-severity(so consumers that prioritize by CVSS read the right number). - KEV / EPSS / CVSS surface as result properties (
vigil/kev,vigil/epss_score,vigil/cvss_score) and as rule tags (kev,epss-high). - Triage state —
false_positiveandignoredrender as SARIFsuppressions;fixedandauto_fixedsetbaselineState: absentso re-uploads close the issue downstream. - Every result carries
partialFingerprints.vigilFingerprintV1— Vygl’s stable dedup hash — so consumers can track findings across branches. - The full
metadata.ai_verificationblock (verdict, confidence, reasoning, suggested fix) ships as result properties when AI verification has run.
helpUri priority: OSV → NVD → CWE → omitted. URLs are real; Vygl never fabricates them.
Snippets in secrets findings are stripped by default to prevent raw secret leakage. Pass include_snippets=true to override (typically only for local debugging).
SBOM (CycloneDX 1.4 / SPDX 2.3)
Section titled “SBOM (CycloneDX 1.4 / SPDX 2.3)”| Where | Dependencies page → Download SBOM, or per-project detail. |
|---|---|
| Formats | CycloneDX 1.4 JSON, SPDX 2.3 JSON. |
| Scope | Per-project / per-branch, or org-wide (respects current filters). |
Pass format=cyclonedx or format=spdx to the SBOM endpoint to pick the format. Both contain:
- Components — every dependency as a SBOM component with PURL, name, version, and license (when available).
- Metadata — project name, scan timestamp, tool identifier (
vygl).
Use for supply-chain audits (SOC 2, ISO 27001, FedRAMP), regulatory submissions, and customer security questionnaires.
What’s not in exports
Section titled “What’s not in exports”- Raw source files — only snippet excerpts (≤3000 chars per finding) are included.
- Triage reasons and audit trail — current status is reflected in SARIF suppressions / baselineState; the full transition history lives in Vygl’s audit log.
- AI consultation transcripts — chat logs are stored in Vygl only; not exported.
For deeper data, the REST API returns the full structured representation of every finding, dependency, and scan.