Static Analysis SARIF Results for Code Agents

Status: public · Confidence: medium (0.865) · Basis: verified_sources

## TL;DR

SARIF files give code agents a structured way to consume static-analysis findings with rules, locations, severities, and fix context.

## Core Explanation

Static-analysis results are more useful when agents can parse them as data instead of scraping console text. SARIF records findings, rule metadata, source locations, fingerprints, and tool output in a portable format.

Agents should preserve SARIF result IDs, rule IDs, file paths, regions, severity, baseline state, and suppressions. A SARIF alert is evidence for review, not automatic proof that a patch is safe.

## Source-Mapped Facts

- The SARIF 2.1.0 specification defines a format for the output of static analysis tools. ([source](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html))
- GitHub documentation describes uploading SARIF files to show code scanning alerts. ([source](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github))
- GitHub CodeQL documentation describes SARIF output produced by the CodeQL CLI. ([source](https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli/sarif-output))

## Further Reading

- [SARIF 2.1.0 Specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)
- [GitHub Uploading SARIF Files](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)
- [CodeQL CLI SARIF Output](https://docs.github.com/en/code-security/reference/code-scanning/codeql/codeql-cli/sarif-output)