diff --git a/nodejs/package.json b/nodejs/package.json
index b1ad22f..625191a 100644
--- a/nodejs/package.json
+++ b/nodejs/package.json
@@ -6,7 +6,8 @@
   },
   "devDependencies": {
     "@davidkhala/logger": "latest",
-    "mocha": "latest"
+    "mocha": "latest",
+    "@davidkhala/light": "latest"
   },
   "scripts": {
     "test": "mocha test"
diff --git a/nodejs/security.js b/nodejs/security.js
index ea12eac..5e80f33 100644
--- a/nodejs/security.js
+++ b/nodejs/security.js
@@ -1,4 +1,5 @@
 import API from "./rest.js";
+import {html} from "mocha/lib/reporters/index.js";
 
 export class CodeScan extends API {
     async listForOrg(org) {
@@ -8,11 +9,50 @@ export class CodeScan extends API {
         return data
     }
 
-    async listForRepo(org, repo) {
+    static prettyRule({rule}) {
+        delete rule.id // mostly equivalent to .name
+        delete rule.description // just a short form of full_description
+    }
+
+    static as_report({
+                      number, html_url,
+                      created_at, updated_at,
+                      state,
+                      fixed_at, dismissed_by, dismissed_at,
+                      rule, most_recent_instance
+                  }) {
+        const {security_severity_level, tags, full_description, name} = rule // the dimensional table
+        const cweTag = tags.find(tag => tag.startsWith('external/cwe/cwe-'))
+        const cwe = cweTag ? cweTag.substring(17) : undefined
+
+        const {ref, location, commit_sha} = most_recent_instance
+
+        return {
+            severity_level: security_severity_level, cwe,
+            name, number, url: html_url, description: full_description,
+            created_at, updated_at, fixed_at,
+            dismissed_by, dismissed_at,
+            state, ref, commit: commit_sha, location: JSON.stringify(location)
+        }
+    }
+
+
+    static pretty(item) {
+        delete item.url // For internal usage only
+        delete item.instances_url // For internal usage only
+        CodeScan.prettyRule(item)
+        delete item.tool // assuming { name: 'CodeQL', guid: null, version: '2.20.0' }
+        return item
+    }
+
+    async listForRepo(org, repo, pretty) {
         const {data} = await this.client.codeScanning.listAlertsForRepo({
             repo,
-            owner: org
+            owner: org,
         })
+        if (pretty) {
+            return data.map(CodeScan.pretty)
+        }
         return data
     }
 }
diff --git a/nodejs/test/artifacts/.gitignore b/nodejs/test/artifacts/.gitignore
new file mode 100644
index 0000000..94a2dd1
--- /dev/null
+++ b/nodejs/test/artifacts/.gitignore
@@ -0,0 +1 @@
+*.json
\ No newline at end of file
diff --git a/nodejs/test/security.js b/nodejs/test/security.js
index c3260a8..43c65e3 100644
--- a/nodejs/test/security.js
+++ b/nodejs/test/security.js
@@ -1,5 +1,7 @@
 import {CodeScan, Dependabot, SecretScan} from "../security.js";
 import assert from "assert";
+import {JSONReadable} from '@davidkhala/light/format.js'
+import fs from "fs";
 const pat = process.env.GITHUB_TOKEN
 describe('codeScan', function () {
     this.timeout(0)
@@ -8,8 +10,8 @@ describe('codeScan', function () {
 
         const org = 'davidkhala'
         const repo = 'ci-cd-utils'
-        const data = await api.listForRepo(org, repo)
-        console.debug(data)
+        const data = await api.listForRepo(org, repo, true)
+        fs.writeFileSync('test/artifacts/codeScan.json', JSONReadable(data))
         await assert.rejects(async()=>{
             await api.listForRepo(undefined, `${org}/${repo}`)
         }, 'HttpError: Not Found - https://docs.github.com/rest')