Add support for SARIF output for secret scanning

Context

This PR adds support for generating reports in SARIF format when scanning for secrets.

See #869.

What has been done

The PR first introduces a --format (text|json) option, and make existing commands use it. --format json is a more verbose version of --json, but it makes it possible to add new formats without adding a new flag for each format.

Then it introduces a sarif value for --format. This value is only used by secret scan commands for now. Adding it to other verticals will be done separately.

Representing multi-match secrets in SARIF output

There is a bit of an impedance mismatch between ggshield secret output and SARIF output. A SARIF result is supposed to have one location, but a secret often contains multiple matches, so each match needs to be a separate location. To reconcile this, the result location starts at the start of the first match and ends at the end of the last match. Then each match is added as a "related" location.

This can be seen in this screenshot of a GitHub import of a ggshield SARIF document:

image(1)

I am open to suggestions regarding better ways to represent multi-match secrets.

Validation

The code can be tested in different ways.

The first thing is to generate some SARIF report. This can be done with a command like this:

ggshield secret scan path -ry --use-gitignore . --format sarif -o myreport.sarif

Then you can try to use the generated report in different places:

SARIF website validator
VS Code provides at least two SARIF extensions
GitHub can import SARIF documents and display the results in the "Security" page of the project (see GitHub doc on this topic)

PR check list

[x] As much as possible, the changes include tests (unit and/or functional)
[x] If the changes affect the end user (new feature, behavior change, bug fix) then the PR has a changelog entry (see doc/dev/getting-started.md). If the changes do not affect the end user, then the skip-changelog label has been added to the PR.

GitGuardian / ggshield