What file formats are produced by Code Scanning results, and how are they used within GitHub?

Code Scanning results are produced in the SARIF format, which stands for Static Analysis Results Interoperability Format. SARIF provides a standardized, machine-readable way to capture each finding—its location in the code, the rule that fired, the severity, and any helpful details or remediation guidance. GitHub is designed to ingest SARIF files so it can render these findings as security alerts that appear in the Security tab and on pull requests as code scanning results. This standardization lets different scanners integrate smoothly with GitHub and present results consistently, making triage, filtering, and remediation easier. The other options don’t fit because Code Scanning doesn’t stream results directly to a browser, and although SARIF is JSON-based, the supported, recognized format for GitHub integration is SARIF rather than generic XML or a different format.