SARIF Import and Export
CodeStax supports the Static Analysis Results Interchange Format (SARIF) version 2.1.0 for exchanging vulnerability data with other security tools and platforms.
What is SARIF
SARIF is an OASIS standard JSON format for the output of static and composition analysis tools. It provides a consistent schema so results from different tools can be viewed, compared, and aggregated in a single location.
Exporting Findings as SARIF
Export any SCA scan result in SARIF format for use with GitHub Security, Azure DevOps, or other SARIF-compatible platforms.
- Open a completed scan from SCA > Scans.
- Click Export and select SARIF (.sarif.json).
- The downloaded file contains all findings with severity, location, and remediation metadata.
Alternatively, use the API:
GET /api/sca/scans/{scan_id}/sarifThe exported file is compatible with the GitHub Security tab. Upload it via the GitHub Code Scanning API to surface CodeStax findings alongside other GitHub security alerts.
Importing SARIF Files
Bring results from external tools into CodeStax to get a unified view of your dependency vulnerabilities.
Supported Sources
| Tool | Notes |
|---|---|
| Snyk | Export via snyk test --sarif |
| Dependabot | Download from GitHub Security tab |
| Checkmarx | Export from Checkmarx SCA results |
| OWASP DC | Use --format SARIF flag |
| Other | Any valid SARIF 2.1.0 file |
Import Methods
Dashboard upload:
- Navigate to SCA > SARIF for the target repository.
- Drag and drop a
.sarifor.sarif.jsonfile onto the upload area, or click to browse. - CodeStax validates the file structure and maps each result to the internal finding model.
- Imported findings appear as a synthetic scan with the source tool name as the scanner label.
API upload:
POST /api/sca/sarif/import
Content-Type: multipart/form-data
repo_id: {repo_id}
file: @results.sarif.jsonHow Imported Findings Appear
Imported findings are stored as a synthetic scan linked to the repository. They are treated like any other scan result:
- Findings appear in the vulnerability list with the original tool name shown as the source.
- Severity levels from the SARIF file are mapped to the CodeStax scale (critical, high, medium, low, info).
- Policy rules, ignore rules, and triage workflows all apply to imported findings.
- Trend charts include imported scan data so you can track progress across tools.
Limitations
- SARIF files must conform to version 2.1.0 of the schema.
- Maximum upload size is 50 MB.
- Binary attachments embedded in SARIF are ignored during import.