For the Sarif parser, as the reports could come from multiple tools, the driver name should be used as the reporter instead of Sarif. That way if Checkmarx outputs a Sarif report and Semgrep outputs a sarif report one can differentiate the findings when these are converted to violation comments in a PR.
For the Sarif parser, as the reports could come from multiple tools, the driver name should be used as the reporter instead of
Sarif
. That way if Checkmarx outputs a Sarif report and Semgrep outputs a sarif report one can differentiate the findings when these are converted to violation comments in a PR.