What is SARIF?

Definition

SARIF (Static Analysis Results Interchange Format) is an open standard, defined by OASIS, for representing the output of static analysis tools in a machine-readable JSON format. SARIF provides a common schema for findings — code locations, severity levels, rule identifiers, fix suggestions — so that results from different analysis tools can be consumed by the same downstream systems.

Before SARIF, every static analysis tool had its own output format. Integrating multiple tools into a CI pipeline required custom parsers for each. SARIF standardizes the representation so that one SARIF-aware consumer (a CI system, a code review dashboard, an IDE) can display results from any SARIF-producing tool.

What a SARIF File Contains

A SARIF file is a JSON document with a defined schema:

• Tool information — the name, version, and configuration of the analysis tool that produced the results
• Rules — the set of rules the tool checked, with descriptions, help text, and severity defaults
• Results — each finding, including: the rule that triggered it, the severity, the location in source code (file, line, column), a message explaining the issue, and optionally a suggested fix
• Artifacts — references to the files that were analyzed
• Taxonomies — mappings to external vulnerability taxonomies like CWE, OWASP, or CVE

SARIF Adoption

SARIF is supported by major platforms and tools:

• GitHub Advanced Security — accepts SARIF uploads via the code-scanning API; findings appear in the Security tab and in PR annotations
• Visual Studio Code — the SARIF Viewer extension displays SARIF results in the editor
• Azure DevOps — SARIF upload to the pipeline displays findings in the build results
• AWS CodeGuru — produces SARIF output
• Major SAST tools — Semgrep, CodeQL, SonarQube, Checkmarx all produce SARIF

SARIF and Code Fix Suggestions

SARIF includes a defined schema for suggested fixes: a fix can specify a set of artifact changes — which files to modify, which text ranges to replace, and what to replace them with. This allows analysis tools to encode machine-applicable fixes alongside findings.

SARIF-encoded fixes are the data format that enables automated remediation workflows: a tool produces findings with embedded fixes, and a downstream system (CI pipeline, IDE extension, governance system) applies those fixes programmatically.

SARIF and Autonomous Code Governance

SARIF is the interoperability layer in autonomous code governance pipelines. Hydra ingests SARIF output from any compliant analysis tool — linters, SAST scanners, custom analyzers — as detection input. Because SARIF is standardized, new tools can be added to the detection layer without requiring custom integration work for each.

SARIF fix suggestions embedded in findings also feed directly into Hydra's fix generation pipeline, where they are used as starting points that are then verified, convention-matched, and enriched before delivery as pull requests.