# secreport — Internal Spec
> This file is gitignored. It exists for agents and internal development. Never committed to public repos.
## Identity
Output formatters for security findings — providing JSON, JSONL, SARIF, Markdown, and Text representations.
## Purpose
Standardizes and serializes security findings into multiple formats required by CI/CD tools, humans, and machines. Without it, every tool would need to write and maintain custom reporting logic and SARIF compliance.
## North Star
A blazingly fast, zero-allocation serialization pipeline that faithfully produces 100% compliant SARIF and clean Markdown, handling millions of findings effortlessly without bottlenecks.
## Role in Ecosystem
- **Depends on:** `secfinding`
- **Depended on by:** Core scanners (implicit via ecosystem use)
- **Relationship to warpscan:** Used to format and emit the final output of security scans to stdout or files.
- **Standalone value:** YES. Anyone working with the `secfinding` data structures or needing standard security report formats can use this independently.
## Invariants
- Formatted output MUST be strictly valid for the respective format (e.g., compliant SARIF, syntactically correct JSON).
- Serialization must never panic on malformed or exceptionally large finding data.
## Boundaries
- Does NOT analyze, deduplicate, or mutate findings.
- Does NOT handle file I/O operations directly (only generates the formatted data).
## Quality State
- Tests: High count across multiple format integrations and adversarial inputs.
- Lint preamble: Yes
- #![forbid(unsafe_code)]: Yes
- Doc coverage: ~95% (enforced by `#![warn(missing_docs)]`)
- Known issues: Type mismatches between `String` and `Arc<str>` in `src/models.rs` and `src/generated_tests.rs` currently breaking `cargo test`.