Skip to content
Latchkey

tflint --format sarif: TFLint Findings in Code Scanning

tflint --format=sarif writes findings as SARIF so they appear as code scanning alerts in the GitHub Security tab.

SARIF is the format GitHub code scanning ingests. Emitting TFLint results as SARIF turns lint findings into inline PR annotations and tracked security alerts.

What it does

tflint --format=sarif serializes every finding into a SARIF run with rule IDs and source locations. You redirect it to a file and hand that file to github/codeql-action/upload-sarif, which renders the results in the Security tab and as PR annotations.

Common usage

Terminal
tflint --init
tflint --recursive --format=sarif > tflint.sarif

Upload step

.github/workflows/lint.yml
- name: tflint
  run: tflint --recursive --format=sarif > tflint.sarif
  continue-on-error: true

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: tflint.sarif

Options

ItemWhat it does
--format=sarifEmit findings in SARIF 2.1.0
> file.sarifRedirect SARIF to a file for upload
--recursiveInclude findings from all subdirectories
upload-sarif actionPublishes the file to GitHub code scanning

In CI

tflint exits 2 when it finds issues, which fails the step before the upload runs. Add continue-on-error: true (or split the run so the upload always executes) so the SARIF still reaches the Security tab even when there are findings. Uploading SARIF requires security-events: write permission in the workflow.

Common errors in CI

"Resource not accessible by integration" on upload means the workflow lacks security-events: write. An empty Security tab usually means the upload step was skipped because tflint exited non-zero; add continue-on-error. "is not valid SARIF" almost always means stderr text leaked into the file; redirect only stdout with >, not 2>&1.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →