Skip to main content

Upload Vibgrate SARIF to GitHub Code Scanning

Emit SARIF with vg scan --format sarif and upload it via the GitHub code scanning action. Drift findings then appear in the Security tab and as inline PR annotations.

Difficulty
Intermediate
Duration
20 minutes
Steps
5

GitHub code scanning ingests SARIF files and surfaces findings in the Security tab and inline on pull requests. Vibgrate emits SARIF directly, so you can route drift findings into the same place your team already reviews security alerts.

Prerequisites

  • Vibgrate already running in GitHub Actions.
  • Code scanning available on the repository.
  • The workflow can request security-events: write permission.

Steps

1. Generate SARIF output

Use the --format sarif flag and write the result to a file with --out.

vg scan --format sarif --out vibgrate.sarif

2. Grant security-events permission

The upload step needs permission to write security events. Add it to the job.

jobs:
  drift:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read

3. Upload the SARIF file

Use GitHub's official upload action and point it at the file you produced.

      - run: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: vibgrate.sarif

4. View findings in Security tab

After the run completes, open the repository Security tab and select Code scanning. Vibgrate drift findings appear as alerts you can triage and dismiss.

5. See annotations on PRs

On a pull request, code scanning annotates the changed lines that introduced findings, giving reviewers context without leaving the diff.

Verification

Confirm the workflow run uploaded the SARIF (the upload step is green) and that alerts show up under Security > Code scanning. If the file is missing, check the --out path matches the sarif_file input.

vg scan --format sarif --out vibgrate.sarif

Next Steps

  • Add a --drift-budget to also fail the build when drift is too high.
  • Push results to Vibgrate Cloud with vg scan --push for cross-repo trends.
  • Restrict to changed files in PRs with vg scan --changed-only.

Prerequisites

  • Vibgrate running in GitHub Actions
  • Code scanning enabled on the repo
  • security events write permission

Steps

  • 1
    Generate SARIF output
  • 2
    Grant security-events permission
  • 3
    Upload the SARIF file
  • 4
    View findings in Security tab
  • 5
    See annotations on PRs

Category

Vibgrate