checkov -o sarif: Findings in GitHub Code Scanning
checkov -o sarif emits a SARIF report you upload to GitHub so findings show as code scanning alerts.
SARIF turns Checkov findings into inline PR annotations and tracked alerts in the Security tab, instead of buried log output that nobody reads.
What it does
checkov -o sarif serializes results into SARIF with each failed check as a result keyed by its CKV ID and file location. Written to a file, it feeds github/codeql-action/upload-sarif. You can pass -o more than once to also keep human-readable cli output in the same run.
Common usage
# SARIF to a file
checkov -d . -o sarif --output-file-path .
# both cli output and a SARIF file
checkov -d . -o cli -o sarif --output-file-path console,results.sarifUpload step
- name: checkov
run: checkov -d . -o sarif --output-file-path .
continue-on-error: true
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifOptions
| Flag | What it does |
|---|---|
| -o sarif | Emit SARIF (repeatable with other formats) |
| --output-file-path <path> | Directory or comma list mapping outputs to files |
| continue-on-error: true | Let the upload run even when checks failed |
| security-events: write | Workflow permission required to upload SARIF |
In CI
checkov exits 1 on findings, which stops the step before upload, so add continue-on-error: true (or --soft-fail) and grant security-events: write. With --output-file-path . Checkov writes results.sarif into the working directory; point the upload at that exact filename.
Common errors in CI
"Resource not accessible by integration" on upload means the workflow lacks security-events: write. "Path does not exist" for the SARIF means the scan exited before writing it, usually because the step failed and was not marked continue-on-error. Mismatched --output-file-path and sarif_file values leave the upload pointing at a missing file.