Sarix is a CLI that reads your actual source, follows the data, and decides which alerts can be exploited. The verdict ships as a comment on the PR — with the lines, the trace, and a patch worth committing.
sarix verifyA typical Semgrep run on a mid-size monorepo. Left: what your scanner gives you. Right: what Sarix gives you back.
12 alerts were dropped because the input was schema-validated, the function wasn't called, or the output was escaped. Sarix shows you why — and writes it down.
Not a dashboard. Not an email digest. A single comment on the PR — with the verdict, the trace, the patch.
The handler receives request.json["customer_id"] and concatenates it into a raw SQL string at line 142. There is no schema validation between the request and the query (verified across the call graph). A crafted body reaches the query unmodified.
No new dashboard. No agent on your laptop. A CLI that takes SARIF in, reads your code, and emits a verdict that reads like an engineer wrote it.
Whatever Semgrep, CodeQL, Bandit, Trivy, or Snyk emits — Sarix reads it. No new format, no plugin, no agent.
semgrep --sarif > alerts.sarifIt opens the cited files, traces the data across function boundaries, and reasons about whether each finding is actually reachable on the hot path.
sarix verify alerts.sarifOne comment per finding: exploitable / dismissed / fix proposed. Reasoning inline. Trace attached. You merge or you don't.
.sarix/proof/report.mdFive real scanners, five SARIF samples taken from production repos. Watch Sarix decide which alerts are signal, which are noise, and which deserve a patch.
Unedited. Paraphrased for length. Names changed when asked.
First security tool that doesn't lie to me. It told me B608 was unreachable because the input was schema-validated three frames up. It was right. I closed the issue and got back to work.
Semgrep on our monorepo emits ~1,400 alerts a week. After sarix verify we triage 60. The PR-comment format means I review a finding in 30 seconds without leaving GitHub.
We replaced two contractors who used to triage Bandit alerts with this CLI. Refund my old SaaS bill.
Cancel from the CLI any time. Every plan ships the same engine — bigger plans just call it more often.
Can't find what you're looking for? Email the maintainer.