Yes, command line version will be always available, this is just an additional mode built on top of it, it's using in fact the same API interface as CLI version to spawn scans and parses out the JSON output format into persistent DB with some postprocessing to be more suitable for web app.
SARIF is implemented as a separate output format and is supported. the "json" one contains more information such as taint traces (even unconfirmed ones that haven't reached sinks), anomaly tags, static behaviour etc... main json format is intended to capture as much data as possible so it can be analyzed later as the original intention is to hunt for malware, anomalies and doing research in general on top of the whole PyPI repository. I found SARIF to be more "practical" or actionable in terms of what needs to be done in fixing the source code or vulnerabilities found vs research oriented such as "this piece of code is doing network communication". Due to this differences it was added as a separate format which is a subset and reformatted (to the SARIF standard) "json" output format
I second this question. While server versions are nice, I need command line, local-only versions to use for my code review as I can’t pass code and dependencies to third parties.
