CI/CD Integration

SARIF output, meaningful exit codes, ready-made GitHub Action.

Exit Codes

CodeMeaningUse
0CleanPipeline passes
1Warnings foundPipeline warns (non-blocking)
2Critical issues foundPipeline fails

GitHub Actions

Security scan on every PR

.github/workflows/sarix.yml
name: Sarix Security Scan

on:
  pull_request:
    branches: [main]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Sarix
        run: pip install sarix

      - name: Run security scan
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: sarix scan src/ --task security -o sarif > sarix.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarix.sarif

Diff-only scan (faster, cheaper)

.github/workflows/sarix-diff.yml
name: Sarix Diff Review

on:
  pull_request:
    branches: [main]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - run: pip install sarix

      - name: Review changed files
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: sarix diff --task security -o sarif > sarix.sarif

      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarix.sarif

GitLab CI

.gitlab-ci.yml
sarix-scan:
  image: python:3.12
  stage: test
  script:
    - pip install sarix
    - sarix scan src/ --task security -o json > report.json
  artifacts:
    reports:
      codequality: report.json
  variables:
    OPENAI_API_KEY: $OPENAI_API_KEY

Pre-commit Hook

.pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: sarix-security
        name: Sarix Security Check
        entry: sarix diff --staged --task security
        language: system
        pass_filenames: false
        stages: [commit]

SARIF Output

SARIF (Static Analysis Results Interchange Format) - the standard used by GitHub's Security tab, VS Code SARIF Viewer, and others.

Terminal
$ sarix security src/auth.py -o sarif > results.sarif

Includes tool info, rules with CWE mappings, results with precise file locations.