Produce a SARIF Report for Security Tooling
Emit drift findings as SARIF with vg scan --format sarif, write them to a file, and upload to GitHub code scanning or any SARIF-aware security tool.
Security platforms speak SARIF — the standard interchange format for static analysis results. Vibgrate can emit drift findings as SARIF so they appear alongside your other security results in GitHub code scanning or any SARIF-aware tool. This tutorial produces and uploads a SARIF report.
Prerequisites
- The Vibgrate CLI installed (
npm i -g @vibgrate/cli) - A SARIF-aware tool such as GitHub code scanning
Steps
1. Install the CLI
npm i -g @vibgrate/cli
No install? Use npx @vibgrate/cli scan for a one-off.
2. Scan with SARIF output
vg scan --format sarif
This runs the scan and emits results in SARIF instead of the default text output.
3. Write SARIF to a file
Most tools ingest a file, so write the SARIF out.
vg scan --format sarif --out vibgrate.sarif
4. Upload SARIF to your tool
In GitHub Actions, upload vibgrate.sarif with the standard code-scanning upload action; other platforms accept SARIF imports the same way. Drift findings then show up in the security UI.
5. Verify findings appear
Open your security tool's findings view and confirm the Vibgrate results are listed with their locations.
Verification
The SARIF file is valid JSON and your tool ingests it without schema errors. In GitHub, the findings appear under code scanning alerts. Combine with --fail-on error if you want the scan step itself to gate on severity.
Next Steps
- Export raw JSON for custom dashboards: "Export JSON for Custom Dashboards".
- Gate merges on drift in CI using
--fail-onand--drift-budget.