Skip to content
/ SARIFCourier Public

A GitHub Action to render SARIF Security Reports right into your Pull Requests. Without the need for GHAS support!

License

Apache-2.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

falc0nTech/SARIFCourier

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

SARIF Courier Logo

Render SARIF Security Reports directly in your Pull Requests – no GitHub Advanced Security (GHAS) required!

✨ What is SARIF Courier?

SARIF Courier is a GitHub Action that takes a SARIF (Static Analysis Results Interchange Format) report and posts a beautifully formatted summary as a comment on your Pull Requests. This enables you to surface security and static analysis findings in your PR workflow, even if you do not have access to GitHub Advanced Security (GHAS).

  • No GHAS required: Works for all repositories, public or private.
  • Instant feedback: See security and code analysis results right in your PRs.
  • Easy integration: Just drop the action in your workflow and point it to your SARIF file.

💡 Why SARIF Courier?

  • Universal: Works with any SARIF-compliant tool (CodeQL, Semgrep, ESLint, etc).
  • No vendor lock-in: No need for GHAS or paid features.
  • Fast feedback: Developers see issues before merging.

🚦 Usage

🔑 Required Environment Variables & Permissions

  • GITHUB_TOKEN: Provided automatically by GitHub Actions. Used to post comments on PRs.
    • Permissions required:
      • contents: write (to create/update comments)
      • pull-requests: write (recommended for private repos)

No additional secrets or configuration are needed.

Note

SARIF Courier automatically uses environment variables provided by GitHub Actions for repository name, pull request number, and ref name. You do not need to set these manually—only GITHUB_TOKEN is required for posting comments. See the GitHub Actions documentation for more details.

📝 Inputs

Name Description Required Default
sarif_file Path to the SARIF file to process. Yes results.sarif

Integration

Add the following step to your workflow after generating a SARIF report:

- name: Render SARIF in PR
  uses: Security-Falcon/SARIFCourier@v1
  with:
    sarif_file: path/to/your-report.sarif

Output on PR

image

Example Workflow

name: Static Analysis
on:
  pull_request:
    branches: [main]

permissions:
  contents: write
  pull-requests: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run your static analysis tool
        run: |
          # ...run your tool, output SARIF to results.sarif...
          # ...assuming exit code 1
      - name: Render SARIF in PR
        if: failure()
        uses: Security-Falcon/SARIFCourier@v1
        with:
          sarif_file: results.sarif

🛠️ License

MIT License. See LICENSE.

About

A GitHub Action to render SARIF Security Reports right into your Pull Requests. Without the need for GHAS support!

Topics

cli security sarif github-actions

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 6

v1.0.5 Latest
Jul 22, 2025
+ 5 releases

Contributors 2

  •  
  •  

Languages