gitleaks SARIF Output for GitHub Code Scanning
gitleaks --report-format sarif emits a SARIF report that GitHub code scanning ingests via the upload-sarif action.
SARIF turns gitleaks findings into annotations in the GitHub Security tab and inline on the PR. The CLI writes it; a workflow step uploads it.
What it does
With --report-format sarif --report-path gitleaks.sarif, gitleaks writes findings in SARIF 2.1.0. github/codeql-action/upload-sarif@v3 then publishes them to code scanning, where each leak shows as a security alert.
Common usage
- name: gitleaks
run: gitleaks detect --source . --no-banner \
--report-format sarif --report-path gitleaks.sarif
continue-on-error: true
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gitleaks.sarifOptions
| Flag / step | What it does |
|---|---|
| --report-format sarif | Emit SARIF 2.1.0 instead of JSON |
| --report-path <file> | Where to write the .sarif file |
| --no-banner | Suppress the ASCII banner in logs |
| upload-sarif sarif_file | Path the codeql-action uploads |
| if: always() | Upload even when the scan step exited non-zero |
In CI
gitleaks exits 1 on a finding, which would skip the upload step, so use continue-on-error: true on the scan and if: always() on the upload so the SARIF reaches GitHub even when the build is meant to fail. Uploading requires security-events: write permission and (on private repos) GitHub Advanced Security.
Common errors in CI
"Resource not accessible by integration" on upload-sarif means the job lacks permissions: security-events: write. "Path does not exist: gitleaks.sarif" means the scan step exited before writing the report; ensure --report-path is set and the scan ran. On a public-vs-private repo without Advanced Security, code scanning upload is rejected.