Generating SARIF
CLI:SARIF Structure
The output conforms to SARIF 2.1.0 with one run containing the q-ai tool driver, deduplicated rules, and one result per finding.Tool Driver
Rules
Each uniquerule_id from the scan produces one rule entry:
Results
One result per finding, referencing the rule by ID and index:Severity Mapping
| qai Severity | SARIF Level | security-severity Score |
|---|---|---|
| Critical | error | 9.0 |
| High | error | 7.0 |
| Medium | warning | 4.0 |
| Low | note | 0.1 |
| Info | note | 0.0 |
security-severity property in rule properties enables GitHub Code Scanning to sort findings by security impact.
GitHub Code Scanning Integration
Upload SARIF results to GitHub’s Security tab using thecodeql-action/upload-sarif action:
SARIF export is currently generated by the audit module only. Other modules (inject, ipi, cxp, rxp) export findings via the JSON bundle format.