Skip to main content

SARIF Output Reference for the Vibgrate CLI

Learn how to emit SARIF from Vibgrate scans and feed it into code-scanning surfaces such as GitHub code scanning. Understand when SARIF is the right format and how to write it to a file.

Vibgrate Docs

Vibgrate Help

This reference explains how to produce SARIF output from the Vibgrate CLI and where it fits. It is for teams integrating Vibgrate with code-scanning surfaces that understand the SARIF standard. For all formats, see the Output Formats guide.

Why SARIF

SARIF is a standard interchange format for static-analysis results. Many platforms — most notably GitHub code scanning — ingest SARIF to display findings inline on pull requests and in a security tab. Emitting SARIF lets Vibgrate drift findings appear alongside other scanners in those surfaces.

Producing SARIF

Request SARIF from a scan:

vg scan --format sarif

Write it to a file so a later CI step can upload it:

vg scan --format sarif --out vibgrate.sarif

Using SARIF in CI

In a typical pipeline you produce the SARIF file in one step and hand it to the platform's upload action in the next. Combine this with a drift gate so the build can both report findings and fail when drift is too high:

vg scan --format sarif --out vibgrate.sarif --fail-on error

See the GitHub Actions and other CI integration guides for end-to-end examples.

SARIF vs. JSON

Reach for SARIF when the consumer is a code-scanning surface. Reach for JSON when you are writing your own tooling. The two are complementary: a pipeline can produce JSON for internal dashboards and SARIF for the security tab.

Tips

  • Always write SARIF to a file with --out; upload steps expect a path.
  • Keep the gate (--fail-on) separate in intent from the format — the format controls reporting, the gate controls the exit code.

Related

  • Output Formats guide
  • JSON output reference
  • CI integration guides and the vg scan command page

Related Commands