SARIF 2.1.0 output
SARIF (Static Analysis Results Interchange Format) is the industry-standard format for static analysis tools. Use --format sarif for native GitHub Code Scanning, Azure DevOps, and other security dashboard integrations.
Usage
shadowaudit --dir ./src --spec openapi.json --format sarif > shadowaudit.sarif
Rule mapping
shadowaudit maps findings to two SARIF rules:
| Rule ID | Severity | SARIF Level | Description |
|---|---|---|---|
SHADOW001 | CRITICAL | error | Undocumented route with no authentication |
SHADOW002 | HIGH | warning | Undocumented route with authentication present |
SHADOW002 | INFO | note | Informational finding |
SARIF structure
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "shadowaudit",
"version": "0.3.0",
"informationUri": "https://shadowaudit.github.io",
"rules": [
{
"id": "SHADOW001",
"name": "UndocumentedUnauthenticatedRoute",
"shortDescription": {
"text": "Undocumented route with no authentication"
},
"defaultConfiguration": { "level": "error" }
},
{
"id": "SHADOW002",
"name": "UndocumentedAuthenticatedRoute",
"shortDescription": {
"text": "Undocumented route with authentication present"
},
"defaultConfiguration": { "level": "warning" }
}
]
}
},
"results": [
{
"ruleId": "SHADOW001",
"level": "error",
"message": {
"text": "Undocumented route with no authentication middleware detected"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "routes.js",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 21
}
}
}
]
}
]
}
]
}
GitHub Code Scanning integration
Upload SARIF to GitHub's Security tab:
name: Security Scan
on: [pull_request]
jobs:
shadowaudit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run shadowaudit
run: npx shadowaudit --dir ./src --spec ./openapi.json --format sarif > shadowaudit.sarif
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: shadowaudit.sarif
Findings will appear in your repo's Security → Code scanning alerts tab with:
- File location (clickable to the exact line)
- Severity (error/warning)
- Rule description
- Remediation guidance