What is SARIF?
SARIF (Static Analysis Results Interchange Format) is a standardized JSON format for security analysis results. Each finding is mapped to a SARIF result with rule metadata, severity level, and security-severity score for integration into security dashboards and CI/CD pipelines.Generating SARIF output
Use--format sarif on audit scan to generate a SARIF report directly:
audit report:
SARIF structure
Each finding maps to SARIF as follows:| q-ai field | SARIF field | Example |
|---|---|---|
rule_id | ruleId | MCP05-001 |
owasp_id | properties.tags[] | MCP05 |
title | rule.shortDescription | Command injection detected |
description | result.message.text | Full finding description |
severity | level + security-severity | error / 9.0 for CRITICAL |
| q-ai Severity | SARIF Level | Security-Severity Score |
|---|---|---|
| CRITICAL | error | 9.0 |
| HIGH | error | 7.0 |
| MEDIUM | warning | 4.0 |
| LOW | note | 0.1 |
| INFO | note | 0.0 |
GitHub Code Scanning
Upload SARIF results to GitHub Code Scanning using theupload-sarif action: