Which format enables code scanning alerts from third-party tools in the repository?

Interoperability of static analysis results hinges on a common, standardized format. SARIF, the Static Analysis Results Interoperability Format, is built exactly for this purpose. It records findings from diverse analyzers in a consistent structure, including where in the code the issue is, the severity, a rule identifier, and a message. When a third-party tool outputs a SARIF file, GitHub can ingest it to surface those alerts in the repository’s code scanning view, aligning them with the right files and lines so teams can triage and fix them alongside native results. This capability to share results across tools is what makes SARIF the right choice for enabling code scanning alerts from external scanners. By comparison, a CodeQL Database is designed for CodeQL queries, not for importing external alerts in a standardized way; Autobuild logs are just build outputs without a security alert format, and Public Repositories Index isn’t a format used to report or import code scanning findings.