Skip to content
Latchkey

osv-scanner --format sarif for Code Scanning

osv-scanner --format sarif --output osv.sarif writes SARIF for GitHub code scanning, and an osv-scanner.toml file ignores advisories you have triaged.

OSV-Scanner can both fail the build and produce SARIF for the Security tab. The ignore config keeps known/accepted advisories from re-failing every run.

What it does

With --format sarif --output osv.sarif, osv-scanner writes SARIF 2.1.0. An osv-scanner.toml with [[IgnoredVulns]] entries (id plus optional ignoreUntil and reason) excludes specific advisories from failing the scan.

Common usage

osv-scanner.toml
# osv-scanner.toml
[[IgnoredVulns]]
id = "GHSA-xxxx-yyyy-zzzz"
ignoreUntil = "2026-09-01"
reason = "no fix yet; not in a reachable path"

Options

Flag / keyWhat it does
--format sarifEmit SARIF instead of the table
--output <file>Write SARIF to this path
--config osv-scanner.tomlUse the ignore config
[[IgnoredVulns]] idAdvisory id to suppress (GHSA/CVE/OSV id)
ignoreUntilDate after which the ignore expires and re-fails

In CI

osv-scanner exits 1 on findings, so wrap the scan with continue-on-error: true and the upload with if: always() to get SARIF into code scanning even on a failing build. The job needs security-events: write. Set ignoreUntil on every ignore so suppressions expire instead of hiding a CVE forever.

Common errors in CI

"Resource not accessible by integration" on upload is the missing security-events: write permission. "could not parse config" means a malformed osv-scanner.toml (wrong table name; it is [[IgnoredVulns]], capitalized). An advisory that keeps failing despite an ignore entry usually has a past ignoreUntil date.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →