SARIF Export

Generating SARIF
SARIF Structure
Tool Driver
Rules
Results
Severity Mapping
GitHub Code Scanning Integration

Audit findings export in SARIF (Static Analysis Results Interchange Format) 2.1.0 for native integration with GitHub Code Scanning, IDE security views, and CI/CD pipelines.

Generating SARIF

CLI:

qai audit scan --transport stdio --command "npx @modelcontextprotocol/server-memory" \
  --format sarif --output findings.sarif

Or convert an existing scan:

qai audit report --input results/scan.json --format sarif --output findings.sarif

Web UI: Click Download SARIF on a completed run’s overview header (only available when the audit module ran).

SARIF Structure

The output conforms to SARIF 2.1.0 with one run containing the q-ai tool driver, deduplicated rules, and one result per finding.

Tool Driver

{
  "name": "q-ai",
  "version": "0.5.1",
  "informationUri": "https://github.com/q-uestionable-AI/qai",
  "rules": [ ... ]
}

Rules

Each unique rule_id from the scan produces one rule entry:

{
  "id": "QAI-INJ-CWE-078-shell_injection",
  "name": "Command injection in 'execute' parameter 'cmd'",
  "shortDescription": { "text": "Command injection in 'execute' parameter 'cmd'" },
  "fullDescription": { "text": "Detailed description..." },
  "defaultConfiguration": { "level": "error" },
  "helpUri": "https://github.com/q-uestionable-AI/qai/blob/main/documentation/audit/framework-coverage.mdx#MCP05",
  "properties": {
    "security-severity": "7.0",
    "tags": ["security", "command_injection"]
  }
}

Results

One result per finding, referencing the rule by ID and index:

{
  "ruleId": "QAI-INJ-CWE-078-shell_injection",
  "ruleIndex": 0,
  "level": "error",
  "message": { "text": "Detailed description..." },
  "properties": {
    "category": "command_injection",
    "tool_name": "memory_store",
    "evidence": "...",
    "remediation": "Validate and sanitize tool parameters...",
    "metadata": { ... }
  }
}

Severity Mapping

qai Severity	SARIF Level	security-severity Score
Critical	error	9.0
High	error	7.0
Medium	warning	4.0
Low	note	0.1
Info	note	0.0

The security-severity property in rule properties enables GitHub Code Scanning to sort findings by security impact.

GitHub Code Scanning Integration

Upload SARIF results to GitHub’s Security tab using the codeql-action/upload-sarif action:

name: MCP Security Audit

on: [push]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install qai
        run: pip install q-uestionable-ai

      - name: Run audit
        run: |
          qai audit scan \
            --transport stdio \
            --command "npx @modelcontextprotocol/server-memory" \
            --format sarif \
            --output results.sarif

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
          category: qai-mcp-audit

Findings appear in the repository’s Security tab under Code Scanning alerts.

SARIF export is currently generated by the audit module only. Other modules (inject, ipi, cxp, rxp) export findings via the JSON bundle format.

JSON Bundle Export

NDJSON Export

⌘I

Getting Started

Web UI

Audit

Inject

Proxy

Chain

IPI — Indirect Prompt Injection

CXP — Context File Poisoning

RXP — RAG Retrieval Poisoning

Exports & Integrations

Configuration

Architecture

Generating SARIF

SARIF Structure

Tool Driver

Rules

Results

Severity Mapping

GitHub Code Scanning Integration

Getting Started

Web UI

Audit

Inject

Proxy

Chain

IPI — Indirect Prompt Injection

CXP — Context File Poisoning

RXP — RAG Retrieval Poisoning

Exports & Integrations

Configuration

Architecture

​Generating SARIF

​SARIF Structure

​Tool Driver

​Rules

​Results

​Severity Mapping

​GitHub Code Scanning Integration

Generating SARIF

SARIF Structure

Tool Driver

Rules

Results

Severity Mapping

GitHub Code Scanning Integration