What is the primary purpose of SARIF in GitHub's security workflow?

Static analysis results interoperability is the idea behind SARIF. SARIF, short for Static Analysis Results Interoperability Format, provides a single, well-defined schema that tools can emit to report findings. In GitHub’s security workflow, the main purpose is to standardize those results so GitHub can ingest them from diverse scanners and present them in a unified, actionable way. This consistency allows GitHub to surface code scanning alerts, annotate pull requests, and correlate results across different tools without having to custom-parse each tool’s output. It also enables meaningful metadata like tool name, rule ID, message, severity, and exact code locations to be preserved and understood by GitHub. This is specifically about static analysis results, not about storing code versions, controlling access to repositories, or formatting general logs for auditing.