tflint --format sarif: TFLint Findings in Code Scanning
tflint --format=sarif writes findings as SARIF so they appear as code scanning alerts in the GitHub Security tab.
SARIF is the format GitHub code scanning ingests. Emitting TFLint results as SARIF turns lint findings into inline PR annotations and tracked security alerts.
What it does
tflint --format=sarif serializes every finding into a SARIF run with rule IDs and source locations. You redirect it to a file and hand that file to github/codeql-action/upload-sarif, which renders the results in the Security tab and as PR annotations.
Common usage
tflint --init
tflint --recursive --format=sarif > tflint.sarifUpload step
- name: tflint
run: tflint --recursive --format=sarif > tflint.sarif
continue-on-error: true
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tflint.sarifOptions
| Item | What it does |
|---|---|
| --format=sarif | Emit findings in SARIF 2.1.0 |
| > file.sarif | Redirect SARIF to a file for upload |
| --recursive | Include findings from all subdirectories |
| upload-sarif action | Publishes the file to GitHub code scanning |
In CI
tflint exits 2 when it finds issues, which fails the step before the upload runs. Add continue-on-error: true (or split the run so the upload always executes) so the SARIF still reaches the Security tab even when there are findings. Uploading SARIF requires security-events: write permission in the workflow.
Common errors in CI
"Resource not accessible by integration" on upload means the workflow lacks security-events: write. An empty Security tab usually means the upload step was skipped because tflint exited non-zero; add continue-on-error. "is not valid SARIF" almost always means stderr text leaked into the file; redirect only stdout with >, not 2>&1.