feat: enable json and sarif output formats for secrets [PS-588]

[alexandru-manea-snyk]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Bumps cli-extension-secrets to a version that ships JSON and SARIF output for snyk secrets test, and turns on the acceptance tests that were previously skipped while those outputs were in progress.

• Test activation: Un-skips and runs --sarif, --sarif-file-output, and --json format tests.
• Bug fix: Fixed a false-positive in the cross-CWD identity test (corrected a broken property lookup from fingerprint to identity).
• Test refactor: Replaced the complex "SARIF with ignores" test with a focused payload validation test (should generate a well-formed SARIF payload).
• Scope cleanup: Removed the setupIsolatedIgnoreEnv helper and its assertions; testing ignore behavior is intentionally excluded from the acceptance suite.

Where should the reviewer start?

• [feat: enable json output PS-343 #78](feat: enable json output [PS-343] cli-extension-secrets#78)
• [feat: enable sarif output PS-343 #77](feat: enable sarif output [PS-343] cli-extension-secrets#77)
• test/jest/acceptance/snyk-secrets/snyk-secrets-test-user-journey.spec.ts — un-skipped tests + assertion fixes.

How should this be manually tested?

1. Build the CLI from this branch.
2. Clone https://github.com/leaktk/fake-leaks at 366ae0080cc67973619584080fc85734ba2658b2.
3. Run ./snyk secrets test <repo> --sarif and confirm a valid SARIF payload (results have fingerprints.identity, multi-location grouping is present).
4. Same with --json and --sarif-file-output=out.json.
5. Run the acceptance suite:

   TEST_SNYK_COMMAND=<path to built binary> \
     npx jest --maxWorkers=1 \
     --testPathPattern snyk-secrets-test-user-journey
   

   Expected: 23 passed, 0 skipped (should enrich SARIF with suppressions when ignores exist).

What's the product update that needs to be communicated to CLI users?

N/A

Risk assessment (Low | Medium | High)?

Low — this PR only enables acceptance coverage for already-shipping behavior.

Any background context you want to provide?

What are the relevant tickets?

• PS-588
• PS-343

Screenshots (if appropriate)

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[CatalinSnyk]

suggestion: I think for this ones we can just follow what we did for code: we import the project into the testing org and have 2-3 ignored issues that we expect for our tests. We can tackle this as a follow up

[alexandru-manea-snyk]

Okay, I will log a follow-up ticket for this, thank you.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 6 relevant code sections from 4 files (average relevance: 1.00) CONTRIBUTING.md (lines 1-218) package.json (lines 1-224) dangerfile.js (lines 1-111) package-lock.json (3 segments, lines 20534-20831)