report convert

Converts a scan findings file between supported output formats without re-running a scan. Useful for feeding existing CBOM output into different downstream tools (SIEM, GitHub Security, spreadsheets).

Usage

qtz-discovery-cli report convert <input-file> --to <format> [flags]

# Convert CBOM to SARIF for GitHub Security upload
qtz-discovery-cli report convert cbom.json --to sarif --output results.sarif

# Convert CBOM to Quantizant JSON
qtz-discovery-cli report convert cbom.json --to json --output findings.json

# Print SARIF converted to JSON to stdout
qtz-discovery-cli report convert results.sarif --to json

Flags

Flag	Required	Description
`--to`	Yes	Target format: `json \| sarif`
`--output`	—	Write to file path (default: stdout)

SARIF Output Notes

When converting to SARIF, findings are mapped as follows:

critical severity → SARIF error
high severity → SARIF error
medium severity → SARIF warning
low → SARIF note
info → SARIF none

The SARIF output includes the tool driver metadata (qtz-discovery-cli version, rules), and each result includes locations, fingerprints (stable finding IDs), and properties with quantum risk metadata.