SARIF Output

SquireX emits SARIF v2.1.0 — the industry standard for security analysis results. Compatible with GitHub Advanced Security, GitLab, VS Code SARIF Viewer, and any SARIF-aware tool.

Generate SARIF

# Write to file
squirex scan -d ./force-app --sarif results.sarif

# PR-scoped SARIF
squirex scan-pr -d ./force-app --base main --sarif results.sarif

Output Schema

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [{
    "tool": {
      "driver": {
        "name": "SquireX",
        "version": "2.0.0",
        "informationUri": "https://squirex.dev",
        "rules": [...]
      }
    },
    "results": [{
      "ruleId": "AGENTFORCE-1.1",
      "level": "error",
      "message": {
        "text": "GenAiFunction 'Submit_Case' invokes Apex target without requiresConfirmation: true"
      },
      "locations": [{
        "physicalLocation": {
          "artifactLocation": { "uri": "Submit_Case.genAiFunction-meta.xml" },
          "region": { "startLine": 12 }
        }
      }]
    }]
  }]
}

Vulnerability Chains

When the chaining engine composes multiple findings into a reachable, trust-boundary-crossing attack path, every constituent finding is kept as its own result and an extra synthesized chain result is emitted:

{
  "level": "error",
  "message": { "text": "Vulnerability chain: 3 findings on a reachable path that crosses a trust boundary into an external-callout sink compose to critical severity." },
  "relatedLocations": [
    { "physicalLocation": { "artifactLocation": { "uri": "FindingA.cls" } } },
    { "physicalLocation": { "artifactLocation": { "uri": "FindingB.cls" } } }
  ],
  "properties": {
    "chain": ["AgentEntry", "ChokeNode", "Sink"],
    "chokePoint": "ChokeNode",
    "constituentRuleIds": ["AGENTFORCE-1.1", "AGENTFORCE-7.2", "AGENTFORCE-12.3"]
  }
}

relatedLocations makes the full path navigable in GitHub Advanced Security and the VS Code viewer.
properties.chokePoint is the single node to remediate first — the CI-Native Agent targets it for the highest-leverage fix.

Severity Mapping

SquireX Severity	SARIF `level`
Critical	`error`
High	`error`
Medium	`warning`
Low	`note`

GitHub Advanced Security Upload

- name: Upload SARIF to GitHub Security
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif
    category: agentforce-capability

tip

SARIF uploads require permissions: security-events: write in your workflow and GitHub Advanced Security enabled on the repository.

VS Code Local Viewer

Install the SARIF Viewer extension and open results.sarif directly.

Generate SARIF​

Output Schema​

Vulnerability Chains​

Severity Mapping​

GitHub Advanced Security Upload​

VS Code Local Viewer​