Skip to main content

SARIF Output

CVE Lite CLI can write scan results as a SARIF 2.1.0 file — a standard format supported by GitHub Code Scanning, VS Code, Azure DevOps, and other security tooling.

Generating SARIF output

cve-lite . --sarif

This writes a timestamped file (cve-lite-scan-<timestamp>.sarif) to the current directory and prints the path. Terminal output renders as normal.

Combining with --json

--sarif and --json can be used together. Both files are written in one scan:

cve-lite . --sarif --json

--sarif can be combined with --report --no-open to write both a SARIF file and an HTML report in one scan - useful for CI pipelines that upload to GitHub Code Scanning and also attach an HTML artifact for human review.

GitHub Code Scanning integration

Upload the SARIF file to GitHub's Security tab using the official action:

jobs:
scan:
runs-on: ubuntu-latest
permissions:
security-events: write # required for upload-sarif
steps:
- uses: actions/checkout@v4

- name: Scan dependencies
run: cve-lite . --sarif

- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: ${{ github.workspace }}

Findings appear in the Security → Code scanning tab and as PR annotations.

tip

security-events: write is a GitHub platform requirement for any workflow that uploads to Code Scanning — it must be declared on the job, not inside the action.

Use if: always() on the upload step so findings are uploaded even when --fail-on causes a non-zero exit.

What the SARIF file contains

Each CVE found produces one SARIF result. A package with multiple CVEs produces one result per CVE, allowing per-CVE review and dismissal in GitHub Code Scanning.

SARIF fieldValue
ruleIdCVE ID (e.g. CVE-2021-44228)
levelerror (critical/high), warning (medium), note (low/unknown)
messagePackage, version, severity, and recommended action
locationsLockfile path relative to repo root
fixesExact install command when one is available

--fail-on and exit codes

--sarif does not affect exit codes. The --fail-on flag continues to control when the process exits with code 1.