DocsSARIF
Reference

SARIF Reference

Nixer emits SARIF 2.1.0 — the standard used by GitHub Code Scanning, VS Code, and third-party security tools. Here's what the output looks like and how to consume it.

SARIF schema overview

A Nixer SARIF file contains one run object per scan. Each finding maps to a SARIF result with:

Example SARIF output

nixer-results.sarif
{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Nixer",
          "version": "1.1.0",
          "informationUri": "https://nixer.polsia.app",
          "rules": [
            {
              "id": "nixer/cicd/unpinned-action",
              "name": "UnpinnedThirdPartyGitHubAction",
              "shortDescription": { "text": "Unpinned Third-Party GitHub Action" },
              "helpUri": "https://nixer.polsia.app/findings/unpinned-github-action",
              "defaultConfiguration": { "level": "warning" }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "nixer/cicd/unpinned-action",
          "level": "warning",
          "message": {
            "text": "Unpinned action tj-actions/changed-files@v35. Pin to a commit SHA to prevent silent code execution on tag update."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": { "uri": ".github/workflows/ci.yml" },
                "region": { "startLine": 18, "startColumn": 1 }
              }
            }
          ],
          "properties": {
            "severity": "high",
            "module": "cicd-pipeline-scan",
            "remediation": "Pin to a full 40-char commit SHA: tj-actions/changed-files@abc123..."
          }
        }
      ]
    }
  ]
}

Severity mapping

Nixer severitySARIF levelGitHub Code Scanning label
criticalerrorError
higherrorError
mediumwarningWarning
lownote"Note

Upload to GitHub Code Scanning

The Nixer GitHub Action handles SARIF upload automatically. For manual upload or CI systems other than GitHub Actions:

Via GitHub Actions step

.github/workflows/upload-sarif.yml
- name: Download Nixer SARIF
  run: |
    curl -s "https://nixer.polsia.app/api/scanner/scan/$SCAN_ID/sarif" \
      -H "Authorization: Bearer $NIXER_API_KEY" > nixer.sarif

- name: Upload SARIF to Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: nixer.sarif
    category: nixer-ai-security

Via GitHub REST API (curl)

shell
# Encode SARIF as base64
SARIF_B64=$(base64 -w0 nixer.sarif)

# Upload via GitHub API
curl -X POST \
  "https://api.github.com/repos/YOUR_ORG/YOUR_REPO/code-scanning/sarifs" \
  -H "Authorization: token $GITHUB_TOKEN" \
  -H "Accept: application/vnd.github.v3+json" \
  -d "{
    \"commit_sha\": \"$GITHUB_SHA\",
    \"ref\": \"$GITHUB_REF\",
    \"sarif\": \"$SARIF_B64\",
    \"tool_name\": \"Nixer\"
  }"

Consuming SARIF in other tools

SARIF 2.1.0 is supported by:

Edit this page on GitHub