Migration assurance
Sample SARIF output: migration guide and scanner checklist
Sample SARIF output explains what replaces Scanner evidence without portable security-review format, the removal date, the migration risks to validate, and how API Migration Guard detects the pattern.
- Target keyword: Sample SARIF output
- Removed: Scanner evidence without portable security-review format
- Replacement: Downloadable SARIF sample with rule IDs and redacted locations
- Removal date: Before audit or agency handoff
TL;DR
| Deprecated item | Removal date | Replacement | Migration risk | Scanner detection |
|---|---|---|---|---|
| Scanner evidence without portable security-review format | Before audit or agency handoff | Downloadable SARIF sample with rule IDs and redacted locations | Security and engineering reviewers may need machine-readable output, not only HTML. | SARIF 2.1.0 sample |
Official status
Amazon documentation lists Scanner evidence without portable security-review format as in-scope for this migration. Use the official source before code freeze because deadlines and replacement details can change.
How to use this asset in production
Downloadable assets are intentionally paired with landing pages. The landing page gives context, source links and checksum; the file gives a portable artifact for a pull request, audit ticket, agency handoff or cutover runbook.
| Use case | Production expectation |
|---|---|
| Pull request | Attach the asset and link the matching scan or validator result. |
| Audit ticket | Record the checksum and the source page so reviewers know which version was used. |
| Cutover runbook | Use the asset as input evidence, not as a replacement for production sample validation. |
Download asset and checksum
Download the file from this landing page and record the checksum in the ticket, pull request or audit note. The direct file is not listed in the sitemap; this page is the canonical indexable explanation.
| File | Format | SHA-256 | Validation use |
|---|---|---|---|
| sample-sarif-output.json | application/json | 9a095e71f4e14a1656afbc17b835c0dab5bfe48b7998acf05d993f3629c53893 | Attach to migration evidence and re-run the matching scanner or validator after code changes. |
Removed resource and replacement
| Old resource | Replacement | Deadline | Validation outcome |
|---|---|---|---|
| Scanner evidence without portable security-review format | Downloadable SARIF sample with rule IDs and redacted locations | Before audit or agency handoff | Security and engineering reviewers may need machine-readable output, not only HTML. |
What breaks
| Area | Breakage |
|---|---|
| Code pattern | Teams miss deprecated usage hidden in source, fixtures, generated clients or parser utilities. |
| Payload or schema | Output can appear healthy while API/report payload shape changed underneath. |
| Permission or data access | Access, role, retention or payment boundaries can block the commercial handoff. |
| Pagination, status or field mapping | Pagination, deadlines and sample-data reconciliation need module-specific validation. |
Before/after example
The example is intentionally small so the migration shape is visible in a code review.
Before:
paste screenshots of findings into a ticket
After:
attach sample SARIF and evidence ZIP to code-review or audit workflowScanner detection
| Rule ID | Severity | Evidence pattern | False positive condition | Validation step |
|---|---|---|---|---|
| SARIF 2.1.0 sample | Depends on module and evidence type | Scanner evidence without portable security-review format | Documentation, comments, generated clients or test fixtures can require manual review. | Run a free scan across Orders, Settlement and Finances source paths. |
Migration checklist
- Run a free scan across Orders, Settlement and Finances source paths.
- Open the sample report to confirm evidence shape and export expectations.
- Prioritize blocker findings by deadline and module ownership.
- Unlock the detailed report only after the free scan shows useful evidence.
Common mistakes
- Optimizing for broad migration wording before capturing exact operation/report queries.
- Treating static analysis as absolute proof instead of tested-scope evidence.
- Sending traffic to pricing without a sample report, methodology and free scan path.
Sample report preview
The public sample report shows the same evidence shape used by paid reports: rule ID, severity, file location, redacted evidence, migration mapping, validation step and quality gate.
FAQ
Who is Sample SARIF output for?
Developers, agencies and SaaS teams preparing Amazon SP-API cutovers.
Does the tool execute code?
No. It uses static analysis and sample validators only.
What should I do after a free scan?
Review the evidence, inspect the sample report format and unlock the detailed report if the findings are actionable.
Official sources
Validate Sample SARIF output in your source
Run a static scan, review the sample report shape, then unlock the detailed migration report when the evidence is useful.