Upload Vibgrate SARIF to GitHub Code Scanning
Emit SARIF with vg scan --format sarif and upload it via the GitHub code scanning action. Drift findings then appear in the Security tab and as inline PR annotations.
GitHub code scanning ingests SARIF files and surfaces findings in the Security tab and inline on pull requests. Vibgrate emits SARIF directly, so you can route drift findings into the same place your team already reviews security alerts.
Prerequisites
- Vibgrate already running in GitHub Actions.
- Code scanning available on the repository.
- The workflow can request
security-events: writepermission.
Steps
1. Generate SARIF output
Use the --format sarif flag and write the result to a file with --out.
vg scan --format sarif --out vibgrate.sarif
2. Grant security-events permission
The upload step needs permission to write security events. Add it to the job.
jobs:
drift:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
3. Upload the SARIF file
Use GitHub's official upload action and point it at the file you produced.
- run: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibgrate.sarif
4. View findings in Security tab
After the run completes, open the repository Security tab and select Code scanning. Vibgrate drift findings appear as alerts you can triage and dismiss.
5. See annotations on PRs
On a pull request, code scanning annotates the changed lines that introduced findings, giving reviewers context without leaving the diff.
Verification
Confirm the workflow run uploaded the SARIF (the upload step is green) and that alerts show up under Security > Code scanning. If the file is missing, check the --out path matches the sarif_file input.
vg scan --format sarif --out vibgrate.sarif
Next Steps
- Add a
--drift-budgetto also fail the build when drift is too high. - Push results to Vibgrate Cloud with
vg scan --pushfor cross-repo trends. - Restrict to changed files in PRs with
vg scan --changed-only.
Prerequisites
- Vibgrate running in GitHub Actions
- Code scanning enabled on the repo
- security events write permission
Steps
- 1Generate SARIF output
- 2Grant security-events permission
- 3Upload the SARIF file
- 4View findings in Security tab
- 5See annotations on PRs