What is a SARIF file, and how is it used in GitHub's security workflow?

SARIF stands for Static Analysis Results Interoperability Format. It’s a standard, machine-readable way to represent the findings produced by static analysis tools, so different scanners can share results in a consistent structure. In GitHub’s security workflow, scanners and analysis tools can emit SARIF output, and GitHub ingests that file to render security alerts and pull request findings. This means you can run various analyzers across your codebase, produce SARIF reports, upload them in your workflow, and GitHub will display the issues in the Security tab and annotate PR changes with code-scanning findings. Because SARIF defines how locations, severities, rule IDs, and metadata are reported, GitHub can present a unified view of issues from multiple tools, making remediation more efficient. It’s not a secret store, a code linter, or a GitHub workflow syntax; it’s the standard format that enables seamless integration of static analysis results into GitHub’s security experience.