Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt

Use this file to discover all available pages before exploring further.

q-ai generates SARIF 2.1.0-compliant reports that integrate with GitHub Code Scanning, VS Code, and other SARIF-compatible security tools.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is a standardized JSON format for security analysis results. Each finding is mapped to a SARIF result with rule metadata, severity level, and security-severity score for integration into security dashboards and CI/CD pipelines.

Generating SARIF output

Use --format sarif on audit scan to generate a SARIF report directly: 
qai audit scan \
  --transport stdio \
  --command "python my_server.py" \
  --format sarif \
  --output results/scan.sarif
Or convert saved JSON results to SARIF with audit report: 
qai audit report \
  --input results/scan.json \
  --format sarif \
  --output results/scan.sarif

SARIF structure

Each finding maps to SARIF as follows:
q-ai fieldSARIF fieldExample
rule_idruleIdMCP05-001
owasp_idproperties.tags[]MCP05
titlerule.shortDescriptionCommand injection detected
descriptionresult.message.textFull finding description
severitylevel + security-severityerror / 9.0 for CRITICAL
Severity mapping:
q-ai SeveritySARIF LevelSecurity-Severity Score
CRITICALerror9.0
HIGHerror7.0
MEDIUMwarning4.0
LOWnote0.1
INFOnote0.0

GitHub Code Scanning

Upload SARIF results to GitHub Code Scanning using the upload-sarif action: 
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results/scan.sarif

CI/CD integration

Add MCP server scanning to a GitHub Actions workflow: 
- name: Scan MCP server
  run: |
    qai audit scan \
      --transport stdio \
      --command "python my_server.py" \
      --format sarif \
      --output results/scan.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results/scan.sarif
Combine with --checks to run specific scanners in CI, keeping scan times predictable.