SARIF

How OLYDI emits SARIF and mirrors it into the GitHub Security tab.

SARIF

OLYDI emits findings in SARIF 2.1.0 so they interoperate with the GitHub Security tab and any other SARIF-aware tooling.

Ingest

The CLI writes olydi.sarif by default. The Action uploads the same document to the repository via the code-scanning API.

npx @olydi/cli scan --sarif olydi.sarif

Security-tab mirror

When run through the Action (with security-events: write), findings appear under the repository Security → Code scanning tab. Each finding carries:

  • a stable ruleId for the detector,
  • the file and region the finding applies to,
  • a severity level mapped to the SARIF level and a security-severity score.

Dedup and fingerprints

OLYDI sets partialFingerprints so the Security tab can track a finding across commits and avoid re-alerting on an unchanged issue. The fingerprint is derived from the rule and a normalised location, not from line numbers alone, so unrelated edits do not reopen a cleared finding.