osv-scanner --format sarif for Code Scanning
osv-scanner --format sarif --output osv.sarif writes SARIF for GitHub code scanning, and an osv-scanner.toml file ignores advisories you have triaged.
OSV-Scanner can both fail the build and produce SARIF for the Security tab. The ignore config keeps known/accepted advisories from re-failing every run.
What it does
With --format sarif --output osv.sarif, osv-scanner writes SARIF 2.1.0. An osv-scanner.toml with [[IgnoredVulns]] entries (id plus optional ignoreUntil and reason) excludes specific advisories from failing the scan.
Common usage
# osv-scanner.toml
[[IgnoredVulns]]
id = "GHSA-xxxx-yyyy-zzzz"
ignoreUntil = "2026-09-01"
reason = "no fix yet; not in a reachable path"Options
| Flag / key | What it does |
|---|---|
| --format sarif | Emit SARIF instead of the table |
| --output <file> | Write SARIF to this path |
| --config osv-scanner.toml | Use the ignore config |
| [[IgnoredVulns]] id | Advisory id to suppress (GHSA/CVE/OSV id) |
| ignoreUntil | Date after which the ignore expires and re-fails |
In CI
osv-scanner exits 1 on findings, so wrap the scan with continue-on-error: true and the upload with if: always() to get SARIF into code scanning even on a failing build. The job needs security-events: write. Set ignoreUntil on every ignore so suppressions expire instead of hiding a CVE forever.
Common errors in CI
"Resource not accessible by integration" on upload is the missing security-events: write permission. "could not parse config" means a malformed osv-scanner.toml (wrong table name; it is [[IgnoredVulns]], capitalized). An advisory that keeps failing despite an ignore entry usually has a past ignoreUntil date.