Skip to main content

Upload Vibgrate SARIF to Code Scanning

Produce a SARIF file with --format sarif and upload it to your platform's code scanning dashboard. Learn the scan command and how findings appear inline.

Vibgrate Docs

Vibgrate Help

This recipe shows how to emit SARIF from Vibgrate and feed it to a code scanning dashboard so drift findings appear alongside other security results. It is provider-agnostic and works anywhere that ingests SARIF.

Why SARIF

SARIF is the standard interchange format for static analysis findings. Uploading Vibgrate SARIF lets findings render inline on pull requests and aggregate in your security dashboard. See Output Formats for the full format list.

Producing the file

npx @vibgrate/cli scan --format sarif --out vibgrate.sarif

Post-install:

vg scan --format sarif --out vibgrate.sarif

This writes a SARIF document describing each finding with a rule id, severity, and location.

Uploading the file

Upload vibgrate.sarif using your platform's code scanning ingestion step or API. The exact upload action depends on the provider, but the input is always the SARIF file produced above.

Not failing the build on upload

SARIF upload is for visibility, so you usually want the scan to succeed even when findings exist. Avoid combining the SARIF step with --fail-on unless you also want the build to fail. To gate separately, run a second scan step with --fail-on error or --drift-budget.

Caching

The SARIF scan benefits from the same Vibgrate cache as any other scan. See Cache Vibgrate scans in CI.

Related

  • Output Formats explains text, JSON, SARIF, and Markdown.
  • Required status checks for drift gates to enforce results.

Related Commands