SARIF Reference
Nixer emits SARIF 2.1.0 — the standard used by GitHub Code Scanning, VS Code, and third-party security tools. Here's what the output looks like and how to consume it.
SARIF schema overview
A Nixer SARIF file contains one run object per scan. Each finding maps to a SARIF result with:
ruleId— Nixer rule identifier (e.g.,nixer/cicd/unpinned-action)level— SARIF severity:"error"(critical/high),"warning"(medium),"note"(low)locations[].physicalLocation— file path and line numbermessage.text— finding title and one-line descriptionproperties— Nixer-specific extensions:severity,remediation,module
Example SARIF output
nixer-results.sarif
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Nixer",
"version": "1.1.0",
"informationUri": "https://nixer.polsia.app",
"rules": [
{
"id": "nixer/cicd/unpinned-action",
"name": "UnpinnedThirdPartyGitHubAction",
"shortDescription": { "text": "Unpinned Third-Party GitHub Action" },
"helpUri": "https://nixer.polsia.app/findings/unpinned-github-action",
"defaultConfiguration": { "level": "warning" }
}
]
}
},
"results": [
{
"ruleId": "nixer/cicd/unpinned-action",
"level": "warning",
"message": {
"text": "Unpinned action tj-actions/changed-files@v35. Pin to a commit SHA to prevent silent code execution on tag update."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": ".github/workflows/ci.yml" },
"region": { "startLine": 18, "startColumn": 1 }
}
}
],
"properties": {
"severity": "high",
"module": "cicd-pipeline-scan",
"remediation": "Pin to a full 40-char commit SHA: tj-actions/changed-files@abc123..."
}
}
]
}
]
}Severity mapping
| Nixer severity | SARIF level | GitHub Code Scanning label |
|---|---|---|
| critical | error | Error |
| high | error | Error |
| medium | warning | Warning |
| low | note" | Note |
Upload to GitHub Code Scanning
The Nixer GitHub Action handles SARIF upload automatically. For manual upload or CI systems other than GitHub Actions:
Via GitHub Actions step
.github/workflows/upload-sarif.yml
- name: Download Nixer SARIF run: | curl -s "https://nixer.polsia.app/api/scanner/scan/$SCAN_ID/sarif" \ -H "Authorization: Bearer $NIXER_API_KEY" > nixer.sarif - name: Upload SARIF to Code Scanning uses: github/codeql-action/upload-sarif@v3 with: sarif_file: nixer.sarif category: nixer-ai-security
Via GitHub REST API (curl)
shell
# Encode SARIF as base64 SARIF_B64=$(base64 -w0 nixer.sarif) # Upload via GitHub API curl -X POST \ "https://api.github.com/repos/YOUR_ORG/YOUR_REPO/code-scanning/sarifs" \ -H "Authorization: token $GITHUB_TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ -d "{ \"commit_sha\": \"$GITHUB_SHA\", \"ref\": \"$GITHUB_REF\", \"sarif\": \"$SARIF_B64\", \"tool_name\": \"Nixer\" }"
Consuming SARIF in other tools
SARIF 2.1.0 is supported by:
- VS Code — SARIF Viewer extension
- Semgrep — accepts SARIF as baseline results
- SonarQube — import via generic issue format (convert with
sarif2sonar) - Defect Dojo — SARIF importer built in
- Azure DevOps — upload via PublishTestResults task