Skip to content
Firmis

SARIF Output Reference

GitHub, VS Code, and every major SAST dashboard speaks SARIF. Firmis outputs SARIF 2.1.0 natively — so your findings land directly in the GitHub Security tab, the VS Code Problems panel, and any CI security dashboard your team uses.

What is SARIF?

Section titled “What is SARIF?”

SARIF (Static Analysis Results Interchange Format) is an OASIS open standard (OASIS SARIF 2.1.0) for representing static analysis results as structured JSON. It defines a common schema so that any tool can produce results that any viewer can consume.

Key benefits of SARIF output:

BenefitDescription
GitHub Security tabUpload via github/codeql-action/upload-sarif — findings appear as code scanning alerts
PR annotationsGitHub annotates pull request diffs with finding locations and messages
VS Code viewerThe SARIF Viewer extension (Microsoft) renders findings in the Problems panel
CI dashboardsTools like Semgrep App, SonarQube, and Snyk Code accept SARIF imports
Historical trackingCompare SARIF files across runs to track remediation progress

Generating SARIF output

Section titled “Generating SARIF output”
Terminal
# Print SARIF to stdout
npx firmis scan --sarif


# Save SARIF to a file
npx firmis scan --sarif --output results.sarif


# Scan only MCP servers, output SARIF
npx firmis scan --platform mcp --sarif --output mcp-results.sarif


# Full CI pipeline with SARIF output
npx firmis ci --fail-on high --format sarif --output results.sarif

Field mapping

Section titled “Field mapping”

How Firmis finding fields map to SARIF 2.1.0 fields:

Firmis FieldSARIF FieldNotes
threat.ruleIdresult.ruleIde.g., tp-001, sd-045
threat.messageresult.message.textHuman-readable finding description
threat.severityresult.levelSee severity mapping table below
threat.location.fileresult.locations[].physicalLocation.artifactLocation.uriRelative path from scan root
threat.location.lineresult.locations[].physicalLocation.region.startLine1-indexed line number
threat.location.columnresult.locations[].physicalLocation.region.startColumn1-indexed column number
threat.evidence[].snippetresult.locations[].physicalLocation.region.snippet.textCode snippet at finding location
threat.remediationresult.fixes[] or result.messageRemediation guidance when available
rule.namerun.tool.driver.rules[].nameHuman-readable rule name
rule.descriptionrun.tool.driver.rules[].fullDescription.textFull rule description
rule.severityrun.tool.driver.rules[].defaultConfiguration.levelRule’s default severity level

Severity mapping

Section titled “Severity mapping”

SARIF uses a different severity vocabulary than Firmis:

Firmis SeveritySARIF Level
criticalerror
higherror
mediumwarning
lownote

Example SARIF document

Section titled “Example SARIF document”
results.sarif
{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Firmis",
          "version": "1.3.0",
          "informationUri": "https://firmislabs.com",
          "rules": [
            {
              "id": "tp-001",
              "name": "HiddenInstructionsInToolDescriptions",
              "shortDescription": {
                "text": "Hidden Instructions in Tool Descriptions"
              },
              "fullDescription": {
                "text": "Detects invisible Unicode characters and HTML comments used to hide malicious instructions inside tool or function descriptions."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://docs.firmislabs.com/reference/threat-categories#tool-poisoning"
            },
            {
              "id": "sd-045",
              "name": "OpenAIApiKeyDetected",
              "shortDescription": {
                "text": "OpenAI API Key Detected"
              },
              "fullDescription": {
                "text": "A hardcoded OpenAI API key was found in the source file."
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://docs.firmislabs.com/reference/threat-categories#secret-detection"
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "tp-001",
          "level": "error",
          "message": {
            "text": "Hidden instructions in tool description: zero-width space (U+200B) detected."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/tools/search.ts",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "startLine": 14,
                  "startColumn": 18,
                  "snippet": {
                    "text": "description: \"Search the web\u200B and return results\""
                  }
                }
              }
            }
          ]
        },
        {
          "ruleId": "sd-045",
          "level": "error",
          "message": {
            "text": "Hardcoded OpenAI API key detected. Rotate this key immediately and store it in an environment variable."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "config/llm.ts",
                  "uriBaseId": "%SRCROOT%"
                },
                "region": {
                  "startLine": 12,
                  "startColumn": 15
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Uploading to GitHub Security tab

Section titled “Uploading to GitHub Security tab”

GitHub’s code scanning feature accepts SARIF files uploaded via the upload-sarif action.

.github/workflows/firmis.yml
name: Firmis Security Scan


on:
  push:
    branches: [main]
  pull_request:
    branches: [main]


jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read


    steps:
      - uses: actions/checkout@v4


      - name: Run Firmis scan
        run: npx firmis scan --sarif --output results.sarif
        continue-on-error: true


      - name: Upload SARIF to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

After uploading, findings appear at Security → Code scanning alerts in your GitHub repository. Pull request diffs are annotated with inline finding markers at the relevant line numbers.

Viewing SARIF locally

Section titled “Viewing SARIF locally”

VS Code SARIF Viewer

Section titled “VS Code SARIF Viewer”

Install the SARIF Viewer extension from Microsoft. Open any .sarif file in VS Code to browse findings in the Problems panel with source location highlighting.

SARIF Web Viewer

Section titled “SARIF Web Viewer”

Microsoft maintains a browser-based viewer at microsoft.github.io/sarif-web-component. Upload your .sarif file to inspect results without installing anything.

SARIF in the CI pipeline

Section titled “SARIF in the CI pipeline”

The firmis ci command generates SARIF as part of the full discover → BOM → scan → report pipeline:

Terminal
npx firmis ci --fail-on high --format sarif --output results.sarif

This produces results.sarif alongside agent-bom.json. Both can be archived as CI artifacts:

.github/workflows/firmis-ci.yml (excerpt)
- name: Run Firmis CI pipeline
  run: npx firmis ci --fail-on high --format sarif --output results.sarif


- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif


- name: Archive Agent BOM
  uses: actions/upload-artifact@v4
  with:
    name: agent-bom
    path: agent-bom.json

What to do next

Section titled “What to do next”