This recipe shows how to emit SARIF from Vibgrate and feed it to a code scanning dashboard so drift findings appear alongside other security results. It is provider-agnostic and works anywhere that ingests SARIF.
Why SARIF
SARIF is the standard interchange format for static analysis findings. Uploading Vibgrate SARIF lets findings render inline on pull requests and aggregate in your security dashboard. See Output Formats for the full format list.
Producing the file
npx @vibgrate/cli scan --format sarif --out vibgrate.sarif
Post-install:
vg scan --format sarif --out vibgrate.sarif
This writes a SARIF document describing each finding with a rule id, severity, and location.
Uploading the file
Upload vibgrate.sarif using your platform's code scanning ingestion step or API. The exact upload action depends on the provider, but the input is always the SARIF file produced above.
Not failing the build on upload
SARIF upload is for visibility, so you usually want the scan to succeed even when findings exist. Avoid combining the SARIF step with --fail-on unless you also want the build to fail. To gate separately, run a second scan step with --fail-on error or --drift-budget.
Caching
The SARIF scan benefits from the same Vibgrate cache as any other scan. See Cache Vibgrate scans in CI.
Related
- Output Formats explains text, JSON, SARIF, and Markdown.
- Required status checks for drift gates to enforce results.