SARIF Format and GitHub Security Tab Integration Guide

SARIF (Static Analysis Results Interchange Format) is a standardized JSON format for reporting the results of static analysis tools. Before SARIF, every security tool produced output in its own proprietary format—XML, CSV, plain text—making it impossible to aggregate results across tools without custom parsers.

SARIF solves this integration problem by providing a common schema that any tool can use to report vulnerabilities, code quality issues, and security findings. A SARIF file describes what was found, where it was found, why it matters, and how to fix it—all in a machine-readable structure that other tools can consume without custom integration.

SARIF was developed by OASIS (Organization for the Advancement of Structured Information Standards) and became an official standard in 2020 (OASIS SARIF 2.1.0). GitHub, Microsoft, and major security vendors adopted SARIF as the universal format for security tool output, making it the industry standard for vulnerability reporting.

Before SARIF, security teams faced the "parser problem": every new tool required a custom integration to ingest its results. A typical enterprise uses 5-10 security tools (SAST, DAST, SCA, secrets detection, container scanning). Without standardization, connecting these tools to dashboards, ticketing systems, or CI/CD pipelines required custom code for each tool.

The Pre-SARIF Problem

Tool A outputs XML with custom tags. Tool B outputs JSON with proprietary field names. Tool C outputs CSV with inconsistent column ordering. To build a unified security dashboard, you write:

• XML parser for Tool A with XPath queries for findings
• JSON parser for Tool B with custom field mappings
• CSV parser for Tool C with column position assumptions
• Translation layer to normalize severity levels (Critical vs High vs Severe)
• Deduplication logic because each tool reports the same vulnerability differently

This integration tax costs 40-60 hours per tool. When Tool A updates its output format, the parser breaks.

The SARIF Solution

With SARIF, every tool outputs the same JSON schema. A single SARIF parser handles all tools. The schema includes:

• Standardized severity: error, warning, note, none
• Standardized locations: file path, line number, column, region
• Standardized classifications: CWE IDs, security categories
• Rich context: code snippets, fix suggestions, related locations
• Tool metadata: tool name, version, rules, taxonomies

GitHub, GitLab, Azure DevOps, and major CI/CD platforms natively consume SARIF. Upload a SARIF file, and the platform displays findings in its security dashboards without custom integration.

A SARIF file is a JSON document with three main sections: runs, results, and tool metadata. Each section has a specific purpose in describing analysis results.

Minimal SARIF Example

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [{
    "tool": {
      "driver": {
        "name": "CodeSlick",
        "version": "1.0.0",
        "informationUri": "https://codeslick.dev",
        "rules": [{
          "id": "js-sql-injection",
          "name": "SQLInjection",
          "shortDescription": {
            "text": "SQL Injection vulnerability detected"
          },
          "helpUri": "https://codeslick.dev/learn/sql-injection"
        }]
      }
    },
    "results": [{
      "ruleId": "js-sql-injection",
      "level": "error",
      "message": {
        "text": "SQL query constructed with string concatenation. Use parameterized queries."
      },
      "locations": [{
        "physicalLocation": {
          "artifactLocation": {
            "uri": "src/api/users.js"
          },
          "region": {
            "startLine": 42,
            "startColumn": 15,
            "endLine": 42,
            "endColumn": 55
          }
        }
      }]
    }]
  }]
}

Key SARIF Fields

runs: Array of analysis runs. Each run represents one execution of a tool against a codebase. Multiple tools can append runs to the same SARIF file.

tool.driver: Metadata about the analysis tool (name, version, documentation URL). Rules array defines each vulnerability type the tool can detect.

results: Array of findings. Each result references a rule ID, specifies severity (error, warning, note), and includes locations with file path and line numbers.

locations: Where the vulnerability was found. Can include multiple locations for data flow analysis (source → sink). Each location specifies file, line, column, and code snippet.

Advanced Features

SARIF supports rich analysis features that simple text output cannot express:

• Code flows: Multi-step data flow paths showing how tainted input reaches a vulnerable sink
• Fixes: Suggested code changes with exact text replacements
• Suppression: Mark findings as false positives with justifications
• Taxonomies: Map findings to OWASP Top 10, CWE, NIST, or custom classifications
• Graphs: Visual representations of call graphs or dependency trees

GitHub's Security tab provides centralized vulnerability tracking for repositories. When you upload a SARIF file via GitHub Actions, findings appear in the Security tab with inline annotations on pull requests, tracking across branches, and historical trend analysis.

How GitHub Processes SARIF

GitHub parses the SARIF file and extracts:

• Vulnerability alerts: Listed in the Security tab under "Code scanning alerts"
• Pull request annotations: Inline comments on changed lines that introduce vulnerabilities
• Status checks: Pass/fail checks on PRs based on severity thresholds
• Historical tracking: Same vulnerability detected across multiple commits is tracked as one issue
• Trend analysis: Security posture over time (vulnerabilities introduced vs fixed)

GitHub Actions SARIF Upload

name: CodeSlick Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
      contents: read
    steps:
      - uses: actions/checkout@v3

      - name: Install CodeSlick CLI
        run: npm install -g codeslick-cli

      - name: Run security scan
        run: codeslick analyze --format sarif --output results.sarif

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif
          category: codeslick-sast

SARIF in Pull Request Reviews

When a pull request introduces a new vulnerability, GitHub displays it as an inline annotation:

src/api/users.js:42
CodeSlick / SQL Injection (High)
  SQL query constructed with string concatenation.
  Use parameterized queries to prevent injection.

  Vulnerable code:
  const query = "SELECT * FROM users WHERE id = " + userId;

  Learn more: https://codeslick.dev/learn/sql-injection

Reviewers see security issues alongside code review comments, eliminating context switching between tools.

Security Tab Features

The GitHub Security tab aggregates SARIF results with:

• Filtering: By severity, rule, branch, or tool
• Deduplication: Same vulnerability in multiple branches tracked as one alert
• Dismissal: Mark false positives with justifications
• Remediation tracking: See when a vulnerability was introduced and when it was fixed
• Compliance exports: Download reports for SOC 2, ISO 27001, or FedRAMP audits

SARIF vs Plain Text

Plain text output (grep, lint) is human-readable but not machine-parseable. Extracting file paths and line numbers requires regex parsing, which breaks when format changes. SARIF provides structured data that tools can consume reliably.

SARIF vs CSV

CSV lacks hierarchy. A vulnerability with multiple locations requires either duplicate rows (one per location) or JSON strings embedded in CSV cells. SARIF natively supports nested structures (results → locations → regions).

SARIF vs XML

Some tools output custom XML schemas. While XML is structured, each tool defines its own tags. SARIF is a standardized schema that all tools follow. A single SARIF parser handles any SARIF-compliant tool.

SARIF vs Tool-Specific JSON

Tools like ESLint output JSON, but with custom field names (filePath vs uri, line vs startLine). SARIF standardizes field names across all tools. ESLint results can be converted to SARIF, making them compatible with GitHub Security and other SARIF consumers.

Feature	Plain Text	CSV	Custom JSON	SARIF
Machine-readable	No (regex parsing)	Yes	Yes	Yes
Standardized schema	No	No	No	Yes
Hierarchical data	No	Limited	Yes	Yes
Multi-tool aggregation	No	No	Custom parsers	Native
GitHub Security support	No	No	No	Yes
Code flow representation	No	No	Tool-specific	Standardized

1. Multi-Tool Security Dashboard

Organizations running multiple security tools (SAST, SCA, secrets detection) aggregate results in a single dashboard:

# Run multiple tools in parallel, all outputting SARIF
codeslick analyze --format sarif --output codeslick.sarif
semgrep scan --sarif --output semgrep.sarif
trivy fs . --format sarif --output trivy.sarif

# Merge SARIF files
sarif-multitool merge codeslick.sarif semgrep.sarif trivy.sarif \
  --output merged.sarif

# Upload to GitHub Security
gh api repos/owner/repo/code-scanning/sarifs \
  --input merged.sarif

The merged SARIF file contains results from all tools, deduplicated and categorized by tool name.

2. Continuous Security Monitoring

SARIF enables trend tracking across releases. Compare SARIF files from consecutive builds to identify security regressions:

# Generate SARIF for current commit
codeslick analyze --format sarif --output current.sarif

# Compare to baseline (main branch)
sarif-multitool diff baseline.sarif current.sarif \
  --output diff.sarif

# New vulnerabilities introduced in this PR:
{
  "newResults": [{
    "ruleId": "js-xss",
    "message": "XSS vulnerability in user input handler",
    "locations": [{"uri": "src/handlers/input.js", "line": 89}]
  }],
  "fixedResults": [{
    "ruleId": "js-sql-injection",
    "message": "SQL injection in login endpoint (FIXED)"
  }]
}

CI/CD pipelines fail builds when new high-severity vulnerabilities are introduced, preventing security regressions.

3. Compliance Audit Trail

Auditors require evidence that security testing occurs on every release. SARIF files serve as timestamped, immutable records:

# Store SARIF files as build artifacts
artifacts/
  v1.2.0-sarif.json  (345 findings, 12 high-severity)
  v1.2.1-sarif.json  (340 findings, 9 high-severity)
  v1.3.0-sarif.json  (315 findings, 5 high-severity)

# Generate compliance report
sarif-multitool report artifacts/*.sarif --format pdf \
  --output compliance-report-q4-2025.pdf

The report shows vulnerability trends, remediation velocity, and coverage across OWASP Top 10 categories—evidence for SOC 2, ISO 27001, and FedRAMP audits.

4. Vulnerability Management Integration

Enterprise vulnerability management platforms (Jira, ServiceNow, DefectDojo) consume SARIF to create tickets automatically:

# Upload SARIF to DefectDojo
curl -X POST https://defectdojo.example.com/api/v2/import-scan/ \
  -H "Authorization: Token YOUR_TOKEN" \
  -F "scan_type=SARIF" \
  -F "file=@codeslick.sarif" \
  -F "engagement=123"

# Results:
- 12 Critical findings → P0 Jira tickets (auto-assigned to security team)
- 23 High findings → P1 tickets (assigned to owning team)
- 45 Medium/Low findings → Backlog

SARIF provides the structured data needed for automated ticket creation, assignment, and SLA tracking.

CodeSlick generates SARIF 2.1.0-compliant output for every analysis, compatible with GitHub Security, GitLab, Azure DevOps, and other SARIF-consuming platforms.

What CodeSlick SARIF Includes

• 294 security checks: All findings mapped to SARIF results with standardized severity levels
• CWE classification: Every result includes CWE ID in the taxonomies section for compliance mapping
• OWASP Top 10 mapping: Results tagged with OWASP 2025 categories
• Precise locations: File path, line number, column, and code snippet for each finding
• Fix suggestions: AI-powered remediation advice in SARIF fixes section
• Rule documentation: Each rule links to CodeSlick learning pages (e.g., codeslick.dev/learn/sql-injection)

SARIF Generation Methods

Web Tool: After analysis, navigate to Export tab and download SARIF file. Upload manually to GitHub via Settings → Code security and analysis → Code scanning → Upload SARIF.

CLI: Run codeslick analyze --format sarif --output results.sarif. The CLI outputs SARIF 2.1.0 to the specified file. Integrate into CI/CD pipelines with automatic upload to GitHub Security.

GitHub App: SARIF is generated and uploaded automatically on every pull request. Findings appear as PR comments and in the Security tab without manual steps. The GitHub App uses the upload-sarif action with proper permissions.

GitHub Actions Integration

name: Security Scan with SARIF Upload

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  codeslick-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write  # Required for SARIF upload
      pull-requests: write    # Optional: for PR comments
    steps:
      - uses: actions/checkout@v3

      - name: Install CodeSlick CLI
        run: npm install -g codeslick-cli

      - name: Run CodeSlick analysis
        run: |
          codeslick analyze \
            --format sarif \
            --output codeslick.sarif \
            --fail-on critical,high

      - name: Upload SARIF to GitHub Security
        if: always()  # Upload even if scan fails
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: codeslick.sarif
          category: codeslick

      - name: Upload SARIF artifact (for audits)
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: sarif-results
          path: codeslick.sarif
          retention-days: 90

SARIF Output Example

A typical CodeSlick SARIF result for SQL injection:

{
  "ruleId": "js-sql-injection",
  "level": "error",
  "message": {
    "text": "SQL query constructed with string concatenation. Use parameterized queries to prevent SQL injection attacks."
  },
  "locations": [{
    "physicalLocation": {
      "artifactLocation": {"uri": "src/api/users.js"},
      "region": {
        "startLine": 42,
        "startColumn": 15,
        "snippet": {"text": "const query = \"SELECT * FROM users WHERE id = \" + userId;"}
      }
    }
  }],
  "partialFingerprints": {
    "primaryLocationLineHash": "a3f8b9c2d5e1f4"
  },
  "properties": {
    "cwe": "CWE-89",
    "owasp": "A03:2021 - Injection",
    "cvss": 9.8,
    "severity": "CRITICAL"
  },
  "fixes": [{
    "description": {"text": "Use parameterized query with placeholders"},
    "artifactChanges": [{
      "artifactLocation": {"uri": "src/api/users.js"},
      "replacements": [{
        "deletedRegion": {"startLine": 42, "endLine": 42},
        "insertedContent": {"text": "const query = \"SELECT * FROM users WHERE id = ?\";\ndb.query(query, [userId]);"}
      }]
    }]
  }]
}

The SARIF output includes everything needed for automated remediation: precise location, severity classification, compliance mapping (CWE, OWASP), and AI-generated fix suggestions.