🐛 fix(ci): relativise ZAP SARIF URIs with originalUriBaseIds for code scanning

[s-b-e-n-s-o-n]

Summary

After PR #402 (auth-readiness gate) and PR #403 (correct credentials), DAST now scans successfully — but Upload ZAP SARIF still fails:

Code Scanning could not process the submitted SARIF file: SARIF URI scheme "http" did not match the checkout URI scheme "file"

Per SARIF spec §3.14.14, DAST results must store origins in `originalUriBaseIds` and use relative URIs with `uriBaseId` references. The current converter emits raw `http://localhost:3333/...\` URIs in `artifactLocation.uri`, which Code Scanning rejects.

Changes

`scripts/zap-json-to-sarif.mjs`:

• New `resolveArtifactLocation()` helper detects http(s) URIs, strips the origin, returns `{ uri: relativePath, uriBaseId: 'TARGET' }`. Non-http fallback values (`nodeName`, site `@name`, `'zap-target'`) pass through unchanged with no `uriBaseId`.
• `convertZapJsonToSarif()` collects distinct origins into `originalUriBaseIds` at the run level.

`scripts/zap-json-to-sarif.test.mjs` updated assertions for the new shape.

Verification

• `node --test scripts/zap-json-to-sarif.test.mjs` → 10/10 pass
• Pre-push gates all green (coverage, build, biome, qlty)
• Post-merge CI Verify run 26613337624 confirms this is the last blocker: every DAST step passed except `Upload ZAP SARIF`

Test plan

• CI Verify on this PR passes lint/coverage/scripts-test
• Post-merge CI Verify on main: DAST → Upload ZAP SARIF succeeds (the canonical proof)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
drydock-demo	Ready	Preview, Comment	May 29, 2026 2:34am
drydock-website	Ready	Preview, Comment	May 29, 2026 2:34am

[biggest-littlest]

LGTM — proper SARIF originalUriBaseIds shape. Last DAST blocker after #402/#403.

[ALARGECOMPANY]

Approved.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!