chore: update GAF to deduplicate SARIF rules

[danskmt]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Updates go-application-framework to include the fix for duplicate SARIF rules in UFM output. When multiple findings share the same problem ID (e.g., two generic-api-key secrets in different files), the SARIF output previously emitted one rule per finding, producing duplicate rule IDs in the rules array.

Depends on: snyk/go-application-framework#583

Once the GAF PR is merged, this PR will be updated to point to the merged commit on main.

Where should the reviewer start?

This is a dependency-only update — cliv2/go.mod and cliv2/go.sum. The actual code changes are in the GAF PR.

How should this be manually tested?

Run snyk test --sarif against a repo with secrets findings that share the same rule ID and verify the rules array contains no duplicates.

What's the product update that needs to be communicated to CLI users?

None. This is a bug fix for SARIF output correctness.

Risk assessment (Low | Medium | High)?

Low — only updates a dependency version, no CLI code changes.

Any background context you want to provide?

The SARIF spec requires unique rule IDs in the rules array. The fix deduplicates rules by problem ID while keeping all findings in the results array.

What are the relevant tickets?

CLI-1344

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Potential Data Loss 🟠 [major] The update to github.com/snyk/go-application-framework aims to deduplicate SARIF rules. However, without visibility into the specific implementation of this deduplication in the upstream go-application-framework PR, there is a risk that the logic could be overly aggressive. This might lead to legitimate, unique SARIF rules being incorrectly identified as duplicates and subsequently omitted from the output, potentially causing information loss regarding detected issues. The manual testing instructions focus on verifying the absence of duplicates but do not explicitly ensure that all intended unique rules are still present. github.com/snyk/go-application-framework v0.0.0-20260410132623-e28c5234b46e

📚 Repository Context Analyzed This review considered 4 relevant code sections from 4 files (average relevance: 0.86) scripts/upgrade-snyk-go-dependencies.go (lines 1-135) package.json (lines 1-223) CONTRIBUTING.md (lines 387-464) package-lock.json (lines 18951-19181)

[j-luong]

issue: run go mod tidy