Skip to content
Latchkey

checkov -o sarif: Findings in GitHub Code Scanning

checkov -o sarif emits a SARIF report you upload to GitHub so findings show as code scanning alerts.

SARIF turns Checkov findings into inline PR annotations and tracked alerts in the Security tab, instead of buried log output that nobody reads.

What it does

checkov -o sarif serializes results into SARIF with each failed check as a result keyed by its CKV ID and file location. Written to a file, it feeds github/codeql-action/upload-sarif. You can pass -o more than once to also keep human-readable cli output in the same run.

Common usage

Terminal
# SARIF to a file
checkov -d . -o sarif --output-file-path .
# both cli output and a SARIF file
checkov -d . -o cli -o sarif --output-file-path console,results.sarif

Upload step

.github/workflows/scan.yml
- name: checkov
  run: checkov -d . -o sarif --output-file-path .
  continue-on-error: true

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Options

FlagWhat it does
-o sarifEmit SARIF (repeatable with other formats)
--output-file-path <path>Directory or comma list mapping outputs to files
continue-on-error: trueLet the upload run even when checks failed
security-events: writeWorkflow permission required to upload SARIF

In CI

checkov exits 1 on findings, which stops the step before upload, so add continue-on-error: true (or --soft-fail) and grant security-events: write. With --output-file-path . Checkov writes results.sarif into the working directory; point the upload at that exact filename.

Common errors in CI

"Resource not accessible by integration" on upload means the workflow lacks security-events: write. "Path does not exist" for the SARIF means the scan exited before writing it, usually because the step failed and was not marked continue-on-error. Mismatched --output-file-path and sarif_file values leave the upload pointing at a missing file.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →