Skip to content

feat(output): report suppressed finding count in terminal, JSON, and SARIF metadata #87

Description

@jeremyjs

Problem

When a baseline file is active, the terminal shows only non-suppressed findings. A user seeing "0 findings" cannot determine whether the codebase is clean or whether 40 findings are suppressed. This undermines trust in green CI output — "passing" might mean "genuinely clean" or "heavily suppressed."

Scope

Add suppressed finding count to:

  1. Terminal summary line
  2. JSON ScanReport.summary
  3. SARIF inlineExternalProperties.externalizedProperties

No changes to finding content, exit codes, or fail-on behavior.

Acceptance Criteria

  • Terminal (with active baseline): 3 findings (12 suppressed by baseline)
  • Terminal (no baseline): 3 findings (no suppressed mention, no clutter)
  • JSON summary gains suppressed: number field (0 when no baseline)
  • SARIF adds suppressedCount to inlineExternalProperties.externalizedProperties
  • Expected exit code: unchanged
  • Expected JSON diff: ScanReport.summary adds suppressed: number
  • Unit test: mock baseline suppressing 2 of 5 findings; assert summary.suppressed === 2
  • Fixture test: golden JSON diff shows suppressed field

Non-goals

  • Listing suppressed findings inline (separate issue)
  • Changing what counts as suppressed
  • Any change to action.yml inputs/outputs

QA Checklist

  • Terminal shows suppressed count only when baseline is active
  • JSON summary.suppressed is 0 when no baseline
  • JSON summary.suppressed is correct count when baseline suppresses findings
  • SARIF output includes suppressedCount in metadata
  • Exit code unchanged (suppressed findings don't affect --fail-on)
  • pnpm test passes

Risk

Low — additive output change. New JSON key on summary; existing consumers ignore unknown keys.

Metadata

Metadata

Assignees

No one assigned

    Labels

    agent:claude-devAssigned to Claude Devagent:readyReady for agent automationarea:cliCLI packagearea:outputOutput formatscycle:nextQueued for the next cycle after currentenhancementNew feature or requestreliability:trustReliability: trust / signal qualityrisk:lowLow risk change

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions