Switching this PR back to 🚧 to draft following a review with one of the SARIF spec authors (✨) who had a couple of minor points of feedback. I'll switch this back once I've pushed up the changes.

I'll switch this back once I've pushed up the changes.

I moved this back to "ready for review", to summarize the recent changes:

1. c981d1c: I learned that we don't need "artifacts" to be present if it's not adding information beyond "X and Y" -- so these are removed
2. 794acc3: I re-ordered some of the result properties so the order is more logical to a human eye
3. 10ce40f: help text is removed in favor of just helpUri, since the help text carried no additional information

Consider pulling more documentation into the SARIF format, via https://github.com/presidentbeef/brakeman/tree/main/docs/warning_types.

@presidentbeef I would love to hear your thoughts on this piece. Is this the only thing blocking this PR from merging?

Happy to merge without that piece. Is there anything outstanding? Otherwise, happy to merge.

Is there anything outstanding?

I think I will reintroduce a temporary help until we can follow up with the revised warning_type docs. Let me do that today then we should be good to go!

I think I will reintroduce a temporary help until we can follow up with the revised warning_type docs.

✅ Done. Here's how it looks in the Security alerts on GitHub (taken from this demo rails3.2 repo, which is a copy of this test app), More info links to this page:

@presidentbeef please feel free to merge this if you're happy with it as well! 🙇

Thanks for all your work on this @swinton! Can you squash it down for me? Thanks!

Can you squash it down for me? Thanks!

Yep, done ✅

Is that Code Climate issue new to this branch? 👀

Code Climate config was messed up. Don't worry about it :)