Glossary

Static Analysis Results Interchange Format (SARIF)

SARIF is an OASIS-standard JSON format for static-analysis results. It lets any scanner report findings — with file, line, rule id, and severity — in a structure that IDEs, CI systems, and GitHub code scanning all understand.

Before SARIF, every analyzer emitted its own report shape, so wiring a new tool into GitHub, an IDE, or a dashboard meant writing a custom parser. SARIF (Static Analysis Results Interchange Format) standardised that: a single JSON schema for runs, rules, results, locations, and severities.

The practical payoff is GitHub code scanning. Upload a SARIF file from any scanner and GitHub renders each finding inline on the pull request diff, tracks it across commits, and de-duplicates it — turning a wall of CLI output into reviewable, dismissible annotations that live next to the code.

Because the format is tool-agnostic, SARIF is also how you avoid lock-in: results from different scanners land in the same structure, so you can swap or combine tools without rebuilding your reporting layer.

How GateTest handles it

GateTest emits SARIF as one of its five reporter formats, so findings drop straight into GitHub code scanning and show up as inline pull-request annotations. The same run also produces Console, JSON, HTML, and JUnit output for other CI systems.

Frequently asked questions

What is SARIF used for?

SARIF is a standard JSON format for static-analysis findings. Its most common use is uploading scanner results to GitHub code scanning, which renders each finding as an inline annotation on the pull-request diff and tracks it across commits.

Can GitHub display GateTest results?

Yes. GateTest produces SARIF output, which GitHub code scanning ingests directly, so findings appear inline on the diff with their file, line, rule id, and severity.

See SARIF on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms