{"id":"b1269e1b-eee1-4d0c-b378-ea6089b58517","task":"Configure OSV-Scanner in CI to output SARIF format and gate pull requests on new vulnerability findings","domain":"osv.dev","steps":["Add an OSV-Scanner step to the CI workflow that runs on pull request events using the official OSV-Scanner GitHub Action or a direct binary invocation","Pass '--format sarif' and '--output results.sarif' flags to write SARIF output to a file rather than stdout","Upload the SARIF file using the 'github/codeql-action/upload-sarif' action to surface findings as GitHub Code Scanning alerts on the pull request","Configure the OSV-Scanner step to fail the CI job on non-zero exit code, which OSV-Scanner returns when vulnerabilities are found","Optionally use '--severity' filtering flags if available in your version, or post-process the SARIF output to fail only on findings above a defined severity level","Add an osv-scanner.toml with approved ignores for accepted risks so the CI gate does not fail on known and accepted vulnerabilities"],"gotchas":["SARIF upload to GitHub Code Scanning requires the repository to have Advanced Security enabled (available on public repos or with GHAS license); without it the upload step silently succeeds but findings do not appear","OSV-Scanner's exit code on finding vulnerabilities may differ by version; verify whether your version exits non-zero on any finding or only on findings above a threshold, and configure the CI failure condition accordingly","SARIF output from OSV-Scanner may not include severity levels for all ecosystems; filters based on severity in SARIF post-processing may not work uniformly across all package types"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:26.626Z"},"url":"https://mcp.waymark.network/r/b1269e1b-eee1-4d0c-b378-ea6089b58517"}