> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# SARIF Export

> SARIF 2.1.0 output for GitHub Code Scanning and CI/CD integration

Audit findings export in SARIF (Static Analysis Results Interchange Format) 2.1.0 for native integration with GitHub Code Scanning, IDE security views, and CI/CD pipelines.

## Generating SARIF

**CLI:**

```bash theme={null}
qai audit scan --transport stdio --command "npx @modelcontextprotocol/server-memory" \
  --format sarif --output findings.sarif
```

Or convert an existing scan:

```bash theme={null}
qai audit report --input results/scan.json --format sarif --output findings.sarif
```

**Web UI:** Click **Download SARIF** on a completed run's overview header (only available when the audit module ran).

## SARIF Structure

The output conforms to SARIF 2.1.0 with one run containing the q-ai tool driver, deduplicated rules, and one result per finding.

### Tool Driver

```json theme={null}
{
  "name": "q-ai",
  "version": "0.5.1",
  "informationUri": "https://github.com/q-uestionable-AI/CTPF",
  "rules": [ ... ]
}
```

### Rules

Each unique `rule_id` from the scan produces one rule entry:

```json theme={null}
{
  "id": "QAI-INJ-CWE-078-shell_injection",
  "name": "Command injection in 'execute' parameter 'cmd'",
  "shortDescription": { "text": "Command injection in 'execute' parameter 'cmd'" },
  "fullDescription": { "text": "Detailed description..." },
  "defaultConfiguration": { "level": "error" },
  "helpUri": "https://github.com/q-uestionable-AI/CTPF/blob/main/documentation/audit/framework-coverage.mdx#MCP05",
  "properties": {
    "security-severity": "7.0",
    "tags": ["security", "command_injection"]
  }
}
```

### Results

One result per finding, referencing the rule by ID and index:

```json theme={null}
{
  "ruleId": "QAI-INJ-CWE-078-shell_injection",
  "ruleIndex": 0,
  "level": "error",
  "message": { "text": "Detailed description..." },
  "properties": {
    "category": "command_injection",
    "tool_name": "memory_store",
    "evidence": "...",
    "remediation": "Validate and sanitize tool parameters...",
    "metadata": { ... }
  }
}
```

## Severity Mapping

| qai Severity | SARIF Level | security-severity Score |
| ------------ | ----------- | :---------------------: |
| Critical     | error       |           9.0           |
| High         | error       |           7.0           |
| Medium       | warning     |           4.0           |
| Low          | note        |           0.1           |
| Info         | note        |           0.0           |

The `security-severity` property in rule properties enables GitHub Code Scanning to sort findings by security impact.

## GitHub Code Scanning Integration

Upload SARIF results to GitHub's Security tab using the `codeql-action/upload-sarif` action:

```yaml theme={null}
name: MCP Security Audit

on: [push]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install CTPF
        run: pip install ctpf

      - name: Run audit
        run: |
          qai audit scan \
            --transport stdio \
            --command "npx @modelcontextprotocol/server-memory" \
            --format sarif \
            --output results.sarif

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
          category: qai-mcp-audit
```

Findings appear in the repository's Security tab under Code Scanning alerts.

<Note>
  SARIF export is currently generated by the audit module only. Other modules (inject, ipi, cxp, rxp) export findings via the JSON bundle format.
</Note>
