-
Notifications
You must be signed in to change notification settings - Fork 0
SARIF Export
Caspian-Explorer edited this page Feb 7, 2026
·
1 revision
Caspian Security exports scan results in SARIF v2.1.0 (Static Analysis Results Interchange Format) -- the OASIS standard used by GitHub Code Scanning, Azure DevOps, and other security platforms.
SARIF is a JSON-based format for static analysis tool output. It standardizes how tools report findings so platforms can consume results from multiple tools in a unified dashboard.
- Specification: OASIS SARIF v2.1.0
- Primary use case: Uploading to GitHub Security Alerts (Code scanning)
- Run a scan (file or workspace)
- Open the Results Panel
- Click Export SARIF in the panel header
- Choose a save location
- The
.sariffile is saved
Ctrl+Shift+P- Run "Caspian Security: Export Results to SARIF"
- Choose a save location
The exported file follows this structure:
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Caspian Security",
"version": "7.0.0",
"informationUri": "https://marketplace.visualstudio.com/items?itemName=CaspianTools.caspian-security",
"rules": [
{
"id": "XSS001",
"shortDescription": { "text": "Use of innerHTML can lead to XSS" }
}
]
}
},
"results": [
{
"ruleId": "XSS001",
"ruleIndex": 0,
"level": "error",
"message": { "text": "Use of innerHTML can lead to XSS" },
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": "src/app.ts" },
"region": {
"startLine": 42,
"startColumn": 5
}
}
}
]
}
]
}
]
}| Caspian Severity | SARIF Level |
|---|---|
| Error | error |
| Warning | warning |
| Info | note |
- Tool metadata -- name, version, Marketplace URL
- Rule definitions -- unique rules with IDs and descriptions
- Results -- each issue with rule ID, severity, message, and physical source location
- Source locations -- file path (relative URI), 1-based line number, column
- Go to your repository on GitHub
- Navigate to Security > Code scanning
- Click Upload SARIF file
- Select the exported
.sariffile - Results appear in the Code scanning alerts dashboard
gh api repos/{owner}/{repo}/code-scanning/sarifs \
-X POST \
-F sarif=@results.sarif \
-F ref=refs/heads/main- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif| Format | Command | Use Case |
|---|---|---|
| JSON | Export Results to JSON | Custom integrations, dashboards, CI/CD |
| CSV | Export Results to CSV | Spreadsheets, tabular analysis, reporting |
| SARIF v2.1.0 | Export Results to SARIF | GitHub Security Alerts, standard SAST tooling |
- Getting Started -- run your first scan to generate results
- Rule Reference -- understand which rules appear in SARIF output
Caspian Security
Run Anywhere
Features
Reference