Skip to content
Latchkey

gitleaks SARIF Output for GitHub Code Scanning

gitleaks --report-format sarif emits a SARIF report that GitHub code scanning ingests via the upload-sarif action.

SARIF turns gitleaks findings into annotations in the GitHub Security tab and inline on the PR. The CLI writes it; a workflow step uploads it.

What it does

With --report-format sarif --report-path gitleaks.sarif, gitleaks writes findings in SARIF 2.1.0. github/codeql-action/upload-sarif@v3 then publishes them to code scanning, where each leak shows as a security alert.

Common usage

.github/workflows/security.yml
- name: gitleaks
  run: gitleaks detect --source . --no-banner \
    --report-format sarif --report-path gitleaks.sarif
  continue-on-error: true
- name: Upload SARIF
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: gitleaks.sarif

Options

Flag / stepWhat it does
--report-format sarifEmit SARIF 2.1.0 instead of JSON
--report-path <file>Where to write the .sarif file
--no-bannerSuppress the ASCII banner in logs
upload-sarif sarif_filePath the codeql-action uploads
if: always()Upload even when the scan step exited non-zero

In CI

gitleaks exits 1 on a finding, which would skip the upload step, so use continue-on-error: true on the scan and if: always() on the upload so the SARIF reaches GitHub even when the build is meant to fail. Uploading requires security-events: write permission and (on private repos) GitHub Advanced Security.

Common errors in CI

"Resource not accessible by integration" on upload-sarif means the job lacks permissions: security-events: write. "Path does not exist: gitleaks.sarif" means the scan step exited before writing the report; ensure --report-path is set and the scan ran. On a public-vs-private repo without Advanced Security, code scanning upload is rejected.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →