375fc9c3d0
Builds on the SARIF 2.1.0 emitter (#626): give each SARIF rule one or more `stride:<leg>` tags (Spoofing / Tampering / Repudiation / Information disclosure / Denial of service / Elevation of privilege) derived from the finding's CWE, so consumers — the GitHub code-scanning Security tab, ASPM dashboards, coverage reports — can group and filter findings by threat-model leg. SARIF results inherit their rule's tags via ruleId, so tagging the rule is sufficient. - _CWE_TO_STRIDE maps common CWEs to legs (dominant leg first where a CWE spans several); unmapped / no-CWE findings fall back to a default (tampering + information-disclosure) so every finding carries >=1 leg and downstream reports have no coverage gaps. - Includes mappings for CWEs surfaced by real scans: 798 (hardcoded creds), 862 (missing authz), 259 (hardcoded password), 1391 (weak credential). Tests: tests/report/test_sarif_stride.py (14 cases — mapping, normalization of CWE-306/306/"cwe: 306" forms, default fallback, rule-tag emission). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>