Code SARIF Baseline State and Result Fingerprints

Status: public · Confidence: medium (0.815) · Basis: verified_sources

## TL;DR

SARIF baseline state and result fingerprints let code agents distinguish new findings from unchanged static-analysis noise.

## Core Explanation

Static-analysis output is useful to agents only when findings can be matched across runs. SARIF provides properties for recording result identity and baseline state, which helps tooling decide whether a warning is new, absent, unchanged, or updated.

Agents should preserve SARIF fields that affect result identity, avoid rewriting paths without recording the mapping, and treat missing baseline metadata as a reason to avoid broad claims about new or fixed findings. This is especially important when generated files, vendored code, or path normalization change between CI environments.

## Source-Mapped Facts

- The SARIF specification says SARIF defines an object model whose top level is the sarifLog object. ([source](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html))
- The SARIF specification says a result object may contain a partialFingerprints property. ([source](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html))
- The SARIF specification says a result object may contain a baselineState property that specifies the state of the result with respect to a previous run. ([source](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html))
- The OASIS SARIF standard page describes SARIF as a standard format for the output of static analysis tools. ([source](https://www.oasis-open.org/standard/sarif-v2-1-0/))

## Further Reading

- [SARIF Version 2.1.0 Specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)
- [SARIF Version 2.1.0 OASIS Standard Page](https://www.oasis-open.org/standard/sarif-v2-1-0/)