q-ai generates SARIF 2.1.0-compliant reports that integrate with GitHub Code Scanning, VS Code, and other SARIF-compatible security tools.
What is SARIF?
SARIF (Static Analysis Results Interchange Format) is a standardized JSON format for security analysis results. Each finding is mapped to a SARIF result with rule metadata, severity level, and security-severity score for integration into security dashboards and CI/CD pipelines.
Generating SARIF output
Use --format sarif on audit scan to generate a SARIF report directly:
qai audit scan \
--transport stdio \
--command "python my_server.py" \
--format sarif \
--output results/scan.sarif
audit report:
qai audit report \
--input results/scan.json \
--format sarif \
--output results/scan.sarif
SARIF structure
Each finding maps to SARIF as follows:
| q-ai field | SARIF field | Example |
|---|
rule_id | ruleId | MCP05-001 |
owasp_id | properties.tags[] | MCP05 |
title | rule.shortDescription | Command injection detected |
description | result.message.text | Full finding description |
severity | level + security-severity | error / 9.0 for CRITICAL |
| q-ai Severity | SARIF Level | Security-Severity Score |
|---|
| CRITICAL | error | 9.0 |
| HIGH | error | 7.0 |
| MEDIUM | warning | 4.0 |
| LOW | note | 0.1 |
| INFO | note | 0.0 |
GitHub Code Scanning
Upload SARIF results to GitHub Code Scanning using the upload-sarif action:
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results/scan.sarif
CI/CD integration
Add MCP server scanning to a GitHub Actions workflow:
- name: Scan MCP server
run: |
qai audit scan \
--transport stdio \
--command "python my_server.py" \
--format sarif \
--output results/scan.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results/scan.sarif
Combine with --checks to run specific scanners in CI, keeping scan times predictable.