Sample SARIF Output
This page shows annotated SARIF output from a SquireX scan against a representative ServiceNow Update Set containing an AI Agent deployment.
Running a ServiceNow Scanโ
npx squirex scan \
--input ./update-set-export.xml \
--platform servicenow \
--format sarif \
--output results.sarif
Example SARIF Findingโ
The following is a real SARIF finding for SNOW-28.1 (GlideRecord in ACL Script โ Recursive Bypass):
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "SquireX",
"version": "4.0.0",
"informationUri": "https://squirex.dev",
"rules": [
{
"id": "SNOW-28.1",
"name": "ACLScriptUsingGlideRecord",
"shortDescription": {
"text": "ACL Script Using GlideRecord (Recursive Bypass)"
},
"fullDescription": {
"text": "Detects GlideRecord usage in ACL scripts. GlideRecord bypasses all ACL checks entirely, creating a recursive bypass when used inside ACL evaluation."
},
"defaultConfiguration": {
"level": "error"
},
"properties": {
"tags": ["security", "servicenow", "acl", "gliderecord"],
"precision": "high",
"security-severity": "9.1"
}
}
]
}
},
"results": [
{
"ruleId": "SNOW-28.1",
"level": "error",
"message": {
"text": "GlideRecord('sys_user') found in ACL script. This creates a recursive ACL bypass โ the access control check itself skips access control checks."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sys_security_acl_it_agent_read.xml",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 14,
"startColumn": 5
}
},
"logicalLocations": [
{
"name": "IT Agent Read ACL",
"kind": "acl",
"fullyQualifiedName": "sys_security_acl.it_agent_read"
}
]
}
],
"fixes": [
{
"description": {
"text": "Replace GlideRecord with gs.hasRole() or GlideRecordSecure"
},
"artifactChanges": [
{
"artifactLocation": {
"uri": "sys_security_acl_it_agent_read.xml"
},
"replacements": [
{
"deletedRegion": {
"startLine": 14,
"startColumn": 5,
"endLine": 14,
"endColumn": 40
},
"insertedContent": {
"text": "var hasAccess = gs.hasRole('itil');"
}
}
]
}
]
}
]
},
{
"ruleId": "SNOW-21.1",
"level": "error",
"message": {
"text": "Agent script queries sensitive table 'sys_user' without field filtering or data privacy classification checks. All fields from this table will be ingested into the AI agent's context window."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sys_script_include_agent_lookup.xml"
},
"region": {
"startLine": 8,
"startColumn": 3
}
}
}
]
},
{
"ruleId": "SNOW-5.1",
"level": "warning",
"message": {
"text": "Flow action 'Create Incident' accepts inputs from an AI agent without validation. LLM-generated parameters can contain injection payloads."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sys_hub_action_create_incident.xml"
},
"region": {
"startLine": 22,
"startColumn": 1
}
}
}
]
}
]
}
]
}
Understanding the Outputโ
Severity Levelsโ
| SARIF Level | SquireX Severity | Meaning |
|---|---|---|
error | Critical / High | Immediate remediation required โ exploitable vulnerability |
warning | Medium | Security best practice violation โ should be addressed |
note | Low | Informational finding โ review recommended |
Key Fieldsโ
ruleId: Maps to the SNOW-* rule taxonomy (e.g.,SNOW-28.1)security-severity: CVSS-style score (0.0โ10.0) for security tooling integrationlogicalLocations: ServiceNow-specific identifiers (ACL name, Script Include name)fixes: Auto-remediation suggestions when available
GitHub Advanced Security Integrationโ
SARIF output integrates directly with GitHub Code Scanning:
# .github/workflows/squirex-scan.yml
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: squirex-servicenow
Findings appear in the Security tab โ Code scanning alerts, with full rule descriptions, severity ratings, and remediation guidance.
Multi-Platform Scanโ
SquireX can scan both Agentforce and ServiceNow artifacts in a single run:
npx squirex scan \
--input ./force-app/ \
--input ./update-set-export.xml \
--format sarif \
--output combined-results.sarif
The SARIF output will contain findings from both AGENTFORCE-* and SNOW-* rule namespaces, with platform tags for filtering.