Use CompilerError formatting for zizmor security scanner output (#2667)

Author: Copilot

pkg/cli/zizmor.go

@@ -178,33 +178,61 @@ func parseAndDisplayZizmorOutput(stdout, stderr string, verbose bool) (int, erro
 			continue
 		}
 
-		// Format: 🌈 zizmor xx warnings in <filepath>
-		warningText := "warnings"
-		if count == 1 {
-			warningText = "warning"
+		// Read file content for context display
+		fileContent, err := os.ReadFile(filePath)
+		var fileLines []string
+		if err == nil {
+			fileLines = strings.Split(string(fileContent), "\n")
 		}
-		fmt.Fprintf(os.Stderr, "🌈 zizmor %d %s in %s\n", count, warningText, filePath)
 
-		// Display detailed findings
+		// Display detailed findings using CompilerError format
 		for _, finding := range findings {
 			severity := finding.Determinations.Severity
 			ident := finding.Ident
 			desc := finding.Desc
 
 			// Find the primary location (first location in the list)
-			var locationInfo string
 			if len(finding.Locations) > 0 {
 				loc := finding.Locations[0]
 				row := loc.Concrete.Location.StartPoint.Row
 				col := loc.Concrete.Location.StartPoint.Column
 				// Zizmor uses 0-based indexing, convert to 1-based for user display
-				if row > 0 || col > 0 {
-					locationInfo = fmt.Sprintf(" at line %d, column %d", row+1, col+1)
+				lineNum := row + 1
+				colNum := col + 1
+
+				// Create context lines around the error
+				var context []string
+				if len(fileLines) > 0 && lineNum > 0 && lineNum <= len(fileLines) {
+					startLine := max(1, lineNum-2)
+					endLine := min(len(fileLines), lineNum+2)
+
+					for i := startLine; i <= endLine; i++ {
+						if i-1 < len(fileLines) {
+							context = append(context, fileLines[i-1])
+						}
+					}
+				}
+
+				// Map severity to error type
+				errorType := "warning"
+				if severity == "High" || severity == "Critical" {
+					errorType = "error"
 				}
-			}
 
-			errorMsg := fmt.Sprintf("  - [%s] %s%s: %s", severity, ident, locationInfo, desc)
-			fmt.Fprintln(os.Stderr, console.FormatErrorMessage(errorMsg))
+				// Create and format CompilerError
+				compilerErr := console.CompilerError{
+					Position: console.ErrorPosition{
+						File:   filePath,
+						Line:   lineNum,
+						Column: colNum,
+					},
+					Type:    errorType,
+					Message: fmt.Sprintf("[%s] %s: %s", severity, ident, desc),
+					Context: context,
+				}
+
+				fmt.Fprint(os.Stderr, console.FormatError(compilerErr))
+			}
 		}
 	}
 

pkg/cli/zizmor_test.go

@@ -50,8 +50,7 @@ func TestParseAndDisplayZizmorOutput(t *testing.T) {
 ]`,
 			stderr: " INFO audit: zizmor: 🌈 completed ./.github/workflows/test.lock.yml\n",
 			expectedOutput: []string{
-				"🌈 zizmor 1 warning in ./.github/workflows/test.lock.yml",
-				"✗   - [Medium] excessive-permissions at line 7, column 5: overly broad permissions",
+				"./.github/workflows/test.lock.yml:7:5: warning: [Medium] excessive-permissions: overly broad permissions",
 			},
 			expectError: false,
 		},
@@ -117,9 +116,8 @@ func TestParseAndDisplayZizmorOutput(t *testing.T) {
 ]`,
 			stderr: " INFO audit: zizmor: 🌈 completed ./.github/workflows/test.lock.yml\n",
 			expectedOutput: []string{
-				"🌈 zizmor 2 warnings in ./.github/workflows/test.lock.yml",
-				"✗   - [Medium] excessive-permissions at line 7, column 5: overly broad permissions",
-				"✗   - [High] template-injection at line 12, column 24: template injection with untrusted input",
+				"./.github/workflows/test.lock.yml:7:5: warning: [Medium] excessive-permissions: overly broad permissions",
+				"./.github/workflows/test.lock.yml:12:24: error: [High] template-injection: template injection with untrusted input",
 			},
 			expectError: false,
 		},
@@ -194,10 +192,8 @@ func TestParseAndDisplayZizmorOutput(t *testing.T) {
 ]`,
 			stderr: " INFO audit: zizmor: 🌈 completed ./.github/workflows/test1.lock.yml\n INFO audit: zizmor: 🌈 completed ./.github/workflows/test2.lock.yml\n",
 			expectedOutput: []string{
-				"🌈 zizmor 1 warning in ./.github/workflows/test1.lock.yml",
-				"✗   - [Medium] excessive-permissions at line 7, column 5: overly broad permissions",
-				"🌈 zizmor 1 warning in ./.github/workflows/test2.lock.yml",
-				"✗   - [High] template-injection at line 12, column 24: template injection with untrusted input",
+				"./.github/workflows/test1.lock.yml:7:5: warning: [Medium] excessive-permissions: overly broad permissions",
+				"./.github/workflows/test2.lock.yml:12:24: error: [High] template-injection: template injection with untrusted input",
 			},
 			expectError: false,
 		},
@@ -253,8 +249,7 @@ func TestParseAndDisplayZizmorOutput(t *testing.T) {
 ]`,
 			stderr: " INFO audit: zizmor: 🌈 completed ./.github/workflows/test.lock.yml\n",
 			expectedOutput: []string{
-				"🌈 zizmor 1 warning in ./.github/workflows/test.lock.yml",
-				"✗   - [Medium] excessive-permissions at line 7, column 5: overly broad permissions",
+				"./.github/workflows/test.lock.yml:7:5: warning: [Medium] excessive-permissions: overly broad permissions",
 			},
 			expectError: false,
 		},