@@ -41,6 +41,7 @@ class CliConfig:
4141 enable_json : bool = False
4242 enable_sarif : bool = False
4343 sarif_file : Optional [str ] = None
44+ sarif_reachable_only : bool = False
4445 enable_gitlab_security : bool = False
4546 gitlab_security_file : Optional [str ] = None
4647 disable_overview : bool = False
@@ -132,6 +133,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
132133 'enable_json' : args .enable_json ,
133134 'enable_sarif' : args .enable_sarif ,
134135 'sarif_file' : args .sarif_file ,
136+ 'sarif_reachable_only' : args .sarif_reachable_only ,
135137 'enable_gitlab_security' : args .enable_gitlab_security ,
136138 'gitlab_security_file' : args .gitlab_security_file ,
137139 'disable_overview' : args .disable_overview ,
@@ -210,6 +212,11 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
210212 logging .error ("--workspace-name requires --sub-path to be specified" )
211213 exit (1 )
212214
215+ # Validate that sarif_reachable_only requires reach
216+ if args .sarif_reachable_only and not args .reach :
217+ logging .error ("--sarif-reachable-only requires --reach to be specified" )
218+ exit (1 )
219+
213220 # Validate that only_facts_file requires reach
214221 if args .only_facts_file and not args .reach :
215222 logging .error ("--only-facts-file requires --reach to be specified" )
@@ -484,6 +491,12 @@ def create_argument_parser() -> argparse.ArgumentParser:
484491 default = None ,
485492 help = "Output file path for SARIF report (implies --enable-sarif)"
486493 )
494+ output_group .add_argument (
495+ "--sarif-reachable-only" ,
496+ dest = "sarif_reachable_only" ,
497+ action = "store_true" ,
498+ help = "Filter SARIF output to only include reachable findings (requires --reach)"
499+ )
487500 output_group .add_argument (
488501 "--enable-gitlab-security" ,
489502 dest = "enable_gitlab_security" ,
0 commit comments