Skip to content

SARIF Export

Caspian-Explorer edited this page Feb 7, 2026 · 1 revision

SARIF Export

Caspian Security exports scan results in SARIF v2.1.0 (Static Analysis Results Interchange Format) -- the OASIS standard used by GitHub Code Scanning, Azure DevOps, and other security platforms.


What is SARIF?

SARIF is a JSON-based format for static analysis tool output. It standardizes how tools report findings so platforms can consume results from multiple tools in a unified dashboard.

  • Specification: OASIS SARIF v2.1.0
  • Primary use case: Uploading to GitHub Security Alerts (Code scanning)

How to Export

From the Results Panel

  1. Run a scan (file or workspace)
  2. Open the Results Panel
  3. Click Export SARIF in the panel header
  4. Choose a save location
  5. The .sarif file is saved

From the Command Palette

  1. Ctrl+Shift+P
  2. Run "Caspian Security: Export Results to SARIF"
  3. Choose a save location

SARIF Structure

The exported file follows this structure:

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Caspian Security",
          "version": "7.0.0",
          "informationUri": "https://marketplace.visualstudio.com/items?itemName=CaspianTools.caspian-security",
          "rules": [
            {
              "id": "XSS001",
              "shortDescription": { "text": "Use of innerHTML can lead to XSS" }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "XSS001",
          "ruleIndex": 0,
          "level": "error",
          "message": { "text": "Use of innerHTML can lead to XSS" },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": "src/app.ts" },
                "region": {
                  "startLine": 42,
                  "startColumn": 5
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Severity Mapping

Caspian Severity SARIF Level
Error error
Warning warning
Info note

What's Included

  • Tool metadata -- name, version, Marketplace URL
  • Rule definitions -- unique rules with IDs and descriptions
  • Results -- each issue with rule ID, severity, message, and physical source location
  • Source locations -- file path (relative URI), 1-based line number, column

Uploading to GitHub Security Alerts

Via GitHub UI

  1. Go to your repository on GitHub
  2. Navigate to Security > Code scanning
  3. Click Upload SARIF file
  4. Select the exported .sarif file
  5. Results appear in the Code scanning alerts dashboard

Via GitHub CLI

gh api repos/{owner}/{repo}/code-scanning/sarifs \
  -X POST \
  -F sarif=@results.sarif \
  -F ref=refs/heads/main

Via GitHub Actions

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

All Export Formats

Format Command Use Case
JSON Export Results to JSON Custom integrations, dashboards, CI/CD
CSV Export Results to CSV Spreadsheets, tabular analysis, reporting
SARIF v2.1.0 Export Results to SARIF GitHub Security Alerts, standard SAST tooling

Next Steps

Clone this wiki locally