SARIF is implemented as a separate output format and is supported. the "json" one contains more information such as taint traces (even unconfirmed ones that haven't reached sinks), anomaly tags, static behaviour etc... main json format is intended to capture as much data as possible so it can be analyzed later as the original intention is to hunt for malware, anomalies and doing research in general on top of the whole PyPI repository. I found SARIF to be more "practical" or actionable in terms of what needs to be done in fixing the source code or vulnerabilities found vs research oriented such as "this piece of code is doing network communication". Due to this differences it was added as a separate format which is a subset and reformatted (to the SARIF standard) "json" output format