What are SARIF files used for in this context?

SARIF stands for Standard Analysis Results Interchange Format, a common, interoperable way to represent static analysis results. In this context, SARIF files are used to carry code scanning alerts produced by third‑party tools in a single, portable format that GitHub can ingest. By exporting a SARIF payload from scanners like Semgrep, ESLint, or Bandit and uploading it to the repository, GitHub can parse and surface those alerts in the Code Scanning results and Security tab, with details such as the rule ID, message, severity, and the exact location in the code. This standardization makes it easy to bring together findings from multiple tools and manage them in one place, rather than trying to glue together disparate output formats. Other descriptions don’t capture this interchangeable, tool-agnostic purpose of SARIF.