Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SARIF Integration

The Odin Scan action uploads findings in SARIF (Static Analysis Results Interchange Format) to GitHub Code Scanning. This provides a native security experience within GitHub, including alerts in the Security tab, inline annotations on pull request diffs, and alert management workflows.

What Is SARIF

SARIF is an OASIS standard format for the output of static analysis tools. GitHub Code Scanning accepts SARIF uploads and uses them to display security alerts alongside your code. By uploading findings in SARIF format, Odin Scan integrates directly into GitHub’s built-in security infrastructure.

Enabling SARIF Upload

SARIF upload is enabled by default. To explicitly configure it:

- uses: odin-scan/odin-scan-action@v1
  with:
    api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
    upload-sarif: true

To disable it:

upload-sarif: false

Required Permissions

The workflow must have security-events: write permission to upload SARIF results:

permissions:
  contents: read
  security-events: write

Without this permission, the SARIF upload step will fail. The action will still complete, but findings will not appear in Code Scanning.

What You Get

Security Tab Alerts

Once SARIF results are uploaded, findings appear as alerts in your repository’s Security > Code Scanning tab. Each alert includes:

  • The vulnerability title and description.
  • The severity level.
  • The file and line where the issue was detected.
  • A link to the relevant code.

Inline Annotations on Pull Requests

Findings that affect files changed in a pull request appear as inline annotations directly on the diff view. Reviewers see warnings and errors next to the relevant lines without leaving the review interface.

When findings-visibility is set to counts or private, inline annotations are suppressed to prevent exposing vulnerability details on public repositories.

Alert Tracking and Dismissal

GitHub Code Scanning provides workflows for managing alerts over time:

  • Dismiss alerts as false positives, won’t fix, or used in tests.
  • Track resolution across branches and pull requests.
  • Re-open alerts if a fix is reverted.
  • Filter and search by severity, tool, or state.

This gives your team a persistent record of security findings beyond individual workflow runs.

Private Repository Requirements

On private repositories, GitHub Code Scanning requires GitHub Advanced Security to be enabled. This is a paid GitHub feature.

If GitHub Advanced Security is not enabled on your private repository, SARIF uploads will fail with an error. In this case, you can either:

  1. Enable GitHub Advanced Security for the repository.
  2. Disable SARIF upload (upload-sarif: false) and rely on PR comments and workflow artifacts for findings.

On public repositories, Code Scanning is available at no additional cost.

Accessing the SARIF File

The action exposes the local path to the generated SARIF file as the sarif-file output. You can use this in subsequent workflow steps for custom processing:

- name: Run Odin Scan
  id: scan
  uses: odin-scan/odin-scan-action@v1
  with:
    api-key: ${{ secrets.ODIN_SCAN_API_KEY }}

- name: Process SARIF
  if: always()
  run: |
    echo "SARIF file: ${{ steps.scan.outputs.sarif-file }}"
    cat "${{ steps.scan.outputs.sarif-file }}" | jq '.runs[0].results | length'

Relationship to Findings Visibility

The findings-visibility setting does not affect SARIF uploads. Regardless of whether visibility is set to full, counts, or private, the full details of every finding are included in the SARIF upload. SARIF results are protected by GitHub’s own permission model – only users with security permissions can view Code Scanning alerts.

See Findings Visibility for details on controlling PR comment and annotation behavior.