GitHub Security tab (SARIF)

Every Sebastion audit produces a SARIF 2.1.0 document and uploads it to GitHub Code Scanning alongside the inline PR review. The findings are the same ones you see as inline comments — just surfaced in GitHub's native Security tab so they can be triaged, dismissed, or assigned the same way as findings from CodeQL or any other code-scanning tool.

This is not a plan-gated feature. It runs on every installation that grants the right permission, including Free.

How to enable it

Sebastion needs the security_events: write permission on its GitHub App installation. If you installed Sebastion before this permission was added, GitHub will surface a "Permission update required" banner on your installation settings page. Accept it.

If the permission is missing, SARIF upload silently no-ops — the PR review still posts as normal, you just don't get the Security tab integration. There is no error in the PR.

What gets uploaded

• One SARIF run per PR audit, tagged with the head commit SHA
• Up to 200 results per run (we cap to stay under GitHub's compressed-payload limit)
• One rule definition per unique finding rule ID
• CWE tags on rule properties where the underlying scanner attaches them
• Severities mapped: critical/high → error, medium → warning, low/info → note
• Stable partialFingerprints.sebastionPrimary per finding so GitHub can reconcile re-audits of the same PR and avoid duplicate alerts

If a scanner emits an execution-failure notification (e.g. an OSV fetch timeout), it's included in the SARIF run as a toolExecutionNotification so it doesn't show up as a missing finding.

What it does not do

• It does not post separately or duplicate the PR review. The Security tab and the inline review are two views of the same audit.
• It does not affect Pro-only behaviour like autofix PRs. Autofix runs independently and is plan-gated; SARIF is not.
• It does not replace GitHub's own CodeQL. Sebastion's findings sit next to any other Code Scanning tool you have configured.

When SARIF upload fails

• Missing permission (403/404): silent no-op. The PR review still ships. To fix, accept the permission update on the App installation.
• Repo doesn't have Code Scanning enabled: GitHub returns a permissive response and the run is dropped on their side. No action needed.
• Payload over 1 MB compressed: we truncate to fit. If you see this happen consistently on a single PR, tune ignore_paths or severity_threshold in .sebastionai.yml so fewer findings reach the uploader.

Related

• .sebastionai.yml config — severity_threshold, ignore_paths, disable_rules, and disable_scanners all affect which findings end up in SARIF.
• False positives and Learnings — suppressions filter out both the inline comment and the SARIF result.