This reference explains how to produce SARIF output from the Vibgrate CLI and where it fits. It is for teams integrating Vibgrate with code-scanning surfaces that understand the SARIF standard. For all formats, see the Output Formats guide.
Why SARIF
SARIF is a standard interchange format for static-analysis results. Many platforms — most notably GitHub code scanning — ingest SARIF to display findings inline on pull requests and in a security tab. Emitting SARIF lets Vibgrate drift findings appear alongside other scanners in those surfaces.
Producing SARIF
Request SARIF from a scan:
vg scan --format sarif
Write it to a file so a later CI step can upload it:
vg scan --format sarif --out vibgrate.sarif
Using SARIF in CI
In a typical pipeline you produce the SARIF file in one step and hand it to the platform's upload action in the next. Combine this with a drift gate so the build can both report findings and fail when drift is too high:
vg scan --format sarif --out vibgrate.sarif --fail-on error
See the GitHub Actions and other CI integration guides for end-to-end examples.
SARIF vs. JSON
Reach for SARIF when the consumer is a code-scanning surface. Reach for JSON when you are writing your own tooling. The two are complementary: a pipeline can produce JSON for internal dashboards and SARIF for the security tab.
Tips
- Always write SARIF to a file with
--out; upload steps expect a path. - Keep the gate (
--fail-on) separate in intent from the format — the format controls reporting, the gate controls the exit code.
Related
- Output Formats guide
- JSON output reference
- CI integration guides and the
vg scancommand page