safe output as security report

.github/workflows/test-claude-create-security-report.md

@@ -0,0 +1,33 @@
+---
+name: Test Claude Security Report
+on:
+  workflow_dispatch:
+  reaction: eyes
+
+engine: 
+  id: claude
+
+safe-outputs:
+  create-security-report:
+    max: 10
+---
+
+# Security Analysis with Claude
+
+Analyze the repository codebase for security vulnerabilities and create security reports.
+
+For each security finding you identify, specify:
+- The file path relative to the repository root
+- The line number where the issue occurs
+- Optional column number for precise location
+- The severity level (error, warning, info, or note)
+- A detailed description of the security issue
+- Optionally, a custom rule ID suffix for meaningful SARIF rule identifiers
+
+Focus on common security issues like:
+- Hardcoded secrets or credentials
+- SQL injection vulnerabilities
+- Cross-site scripting (XSS) issues
+- Insecure file operations
+- Authentication bypasses
+- Input validation problems

.github/workflows/test-codex-create-security-report.md

@@ -0,0 +1,33 @@
+---
+name: Test Codex Security Report
+on:
+  workflow_dispatch:
+  reaction: eyes
+
+engine: 
+  id: codex
+
+safe-outputs:
+  create-security-report:
+    max: 10
+---
+
+# Security Analysis with Codex
+
+Analyze the repository codebase for security vulnerabilities and create security reports.
+
+For each security finding you identify, specify:
+- The file path relative to the repository root
+- The line number where the issue occurs
+- Optional column number for precise location
+- The severity level (error, warning, info, or note)
+- A detailed description of the security issue
+- Optionally, a custom rule ID suffix for meaningful SARIF rule identifiers
+
+Focus on common security issues like:
+- Hardcoded secrets or credentials
+- SQL injection vulnerabilities
+- Cross-site scripting (XSS) issues
+- Insecure file operations
+- Authentication bypasses
+- Input validation problems

docs/safe-outputs.md

@@ -9,6 +9,8 @@ One of the primary security features of GitHub Agentic Workflows is "safe output
 | **New Issue Creation** | `create-issue:` | Create GitHub issues based on workflow output | 1 |
 | **Issue Comments** | `add-issue-comment:` | Post comments on issues or pull requests | 1 |
 | **Pull Request Creation** | `create-pull-request:` | Create pull requests with code changes | 1 |
+| **Pull Request Review Comments** | `create-pull-request-review-comment:` | Create review comments on specific lines of code | 1 |
+| **Security Reports** | `create-security-report:` | Generate SARIF security reports and upload to GitHub Code Scanning | unlimited |
 | **Label Addition** | `add-issue-label:` | Add labels to issues or pull requests | 3 |
 | **Issue Updates** | `update-issue:` | Update issue status, title, or body | 1 |
 | **Push to Branch** | `push-to-branch:` | Push changes directly to a branch | 1 |
@@ -219,6 +221,60 @@ The compiled workflow will have additional prompting describing that, to create
 - Comments are automatically positioned on the correct side of the diff
 - Maximum comment limits prevent spam
 
+### Security Report Creation (`create-security-report:`)
+
+Adding `create-security-report:` to the `safe-outputs:` section declares that the workflow should conclude with creating security reports in SARIF format based on the workflow's security analysis findings. The SARIF file is uploaded as an artifact and submitted to GitHub Code Scanning.
+
+**Basic Configuration:**
+```yaml
+safe-outputs:
+  create-security-report:
+```
+
+**With Configuration:**
+```yaml
+safe-outputs:
+  create-security-report:
+    max: 50                         # Optional: maximum number of security findings (default: unlimited)
+```
+
+The agentic part of your workflow should describe the security findings it wants reported with specific file paths, line numbers, severity levels, and descriptions.
+
+**Example natural language to generate the output:**
+
+```markdown
+# Security Analysis Agent
+
+Analyze the codebase for security vulnerabilities and create security reports.
+Create security reports with your analysis findings. For each security finding, specify:
+- The file path relative to the repository root
+- The line number where the issue occurs
+- The severity level (error, warning, info, or note)
+- A detailed description of the security issue
+
+Security findings will be formatted as SARIF and uploaded to GitHub Code Scanning.
+```
+
+The compiled workflow will have additional prompting describing that, to create security reports, it should write the security findings to a special file with the following structure:
+- `file`: The file path relative to the repository root
+- `line`: The line number where the security issue occurs
+- `column`: Optional column number where the security issue occurs (defaults to 1)
+- `severity`: The severity level ("error", "warning", "info", or "note")
+- `message`: The detailed description of the security issue
+- `ruleIdSuffix`: Optional custom suffix for the SARIF rule ID (must contain only alphanumeric characters, hyphens, and underscores)
+
+**Key Features:**
+- Generates SARIF (Static Analysis Results Interchange Format) reports
+- Automatically uploads reports as GitHub Actions artifacts
+- Integrates with GitHub Code Scanning for security dashboard visibility
+- Supports standard severity levels (error, warning, info, note)
+- Works in any workflow context (not limited to pull requests)
+- Maximum findings limit prevents overwhelming reports
+- Validates all required fields before generating SARIF
+- Supports optional column specification for precise location
+- Customizable rule IDs via optional ruleIdSuffix field
+- Rule IDs default to `{workflow-filename}-security-finding-{index}` format when no custom suffix is provided
+
 ### Label Addition (`add-issue-label:`)
 
 Adding `add-issue-label:` to the `safe-outputs:` section of your workflow declares that the workflow should conclude with adding labels to the current issue or pull request based on the coding agent's analysis.

pkg/parser/schemas/main_workflow_schema.json

@@ -1286,6 +1286,30 @@
             }
           ]
         },
+        "create-security-report": {
+          "oneOf": [
+            {
+              "type": "object",
+              "description": "Configuration for creating security reports (SARIF format) from agentic workflow output",
+              "properties": {
+                "max": {
+                  "type": "integer",
+                  "description": "Maximum number of security findings to include (default: unlimited)",
+                  "minimum": 1
+                },
+                "driver": {
+                  "type": "string",
+                  "description": "Driver name for SARIF tool.driver.name field (default: 'GitHub Agentic Workflows Security Scanner')"
+                }
+              },
+              "additionalProperties": false
+            },
+            {
+              "type": "null",
+              "description": "Enable security report creation with default configuration (unlimited findings)"
+            }
+          ]
+        },
         "add-issue-label": {
           "oneOf": [
             {