Skip to main content

SARIF 2.1.0 output

SARIF (Static Analysis Results Interchange Format) is the industry-standard format for static analysis tools. Use --format sarif for native GitHub Code Scanning, Azure DevOps, and other security dashboard integrations.

Usage

shadowaudit --dir ./src --spec openapi.json --format sarif > shadowaudit.sarif

Rule mapping

shadowaudit maps findings to two SARIF rules:

Rule IDSeveritySARIF LevelDescription
SHADOW001CRITICALerrorUndocumented route with no authentication
SHADOW002HIGHwarningUndocumented route with authentication present
SHADOW002INFOnoteInformational finding

SARIF structure

{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "shadowaudit",
"version": "0.3.0",
"informationUri": "https://shadowaudit.github.io",
"rules": [
{
"id": "SHADOW001",
"name": "UndocumentedUnauthenticatedRoute",
"shortDescription": {
"text": "Undocumented route with no authentication"
},
"defaultConfiguration": { "level": "error" }
},
{
"id": "SHADOW002",
"name": "UndocumentedAuthenticatedRoute",
"shortDescription": {
"text": "Undocumented route with authentication present"
},
"defaultConfiguration": { "level": "warning" }
}
]
}
},
"results": [
{
"ruleId": "SHADOW001",
"level": "error",
"message": {
"text": "Undocumented route with no authentication middleware detected"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "routes.js",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 21
}
}
}
]
}
]
}
]
}

GitHub Code Scanning integration

Upload SARIF to GitHub's Security tab:

name: Security Scan
on: [pull_request]

jobs:
shadowaudit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'

- name: Run shadowaudit
run: npx shadowaudit --dir ./src --spec ./openapi.json --format sarif > shadowaudit.sarif
continue-on-error: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: shadowaudit.sarif

Findings will appear in your repo's Security → Code scanning alerts tab with:

  • File location (clickable to the exact line)
  • Severity (error/warning)
  • Rule description
  • Remediation guidance