Output Formats
PipeGuard supports three output formats: terminal, JSON, and SARIF.
| Format | Flag | Use Case |
|---|---|---|
| Terminal | --format terminal (default) | Local development, human-readable |
| JSON | --format json | Custom integrations, scripting |
| SARIF | --format sarif | GitHub Code Scanning, GitLab SAST |
Terminal (default)
The default output uses ANSI colors and box-drawing characters. Respects NO_COLOR environment variable and --no-color flag.
shell$ pipeguard scan .gitlab-ci.yml
output====================================================================
PIPEGUARD — Pipeline Security Scanner
====================================================================
--------------------------------------------------------------------
FILE .gitlab-ci.yml (GitLab CI)
--------------------------------------------------------------------
CRITICAL R03 No secret scanning stage
Add a secret detection stage using tools like
gitleaks or detect-secrets
Category: Secret Management (SEC)
FIX: Add secret scanning stage:
secret_scan:
stage: test
script:
- gitleaks detect --source . --verbose
MEDIUM R28 No pipeline cache configured
Configure cache to speed up pipeline execution
Category: Quality (PQL)
--------------------------------------------------------------------
RESULTS
--------------------------------------------------------------------
Files scanned: 1
Violations: 42 (8 critical, 12 high, 18 medium, 4 low)
Auto-fixable: 38/42
.gitlab-ci.yml SECURITY 9/100 Level 0 — None
QUALITY 41/100 Level 2 — Developing
JSON
Structured JSON for custom tooling and scripting:
shell$ pipeguard scan .gitlab-ci.yml --format json
json{
"version": "0.1.0",
"files": [
{
"path": ".gitlab-ci.yml",
"type": "gitlab-ci",
"violations": [
{
"id": "R03",
"severity": "critical",
"category": "SEC",
"title": "No secret scanning stage",
"description": "Add a secret detection stage...",
"fix": "secret_scan:\n stage: test\n...",
"autoFixable": true
}
],
"scores": {
"security": 9,
"quality": 41
},
"maturity": {
"level": 0,
"name": "None"
}
}
],
"summary": {
"totalFiles": 1,
"totalViolations": 42,
"bySeverity": {
"critical": 8,
"high": 12,
"medium": 18,
"low": 4
},
"autoFixable": 38
}
}
Write JSON to a file with --output:
shell$ pipeguard scan . --format json --output results.json
SARIF
SARIF v2.1.0 (Static Analysis Results Interchange Format) is the industry standard for static analysis results. Compatible with GitHub Code Scanning, GitLab SAST, Azure DevOps, and more.
shell$ pipeguard scan . --format sarif --output results.sarif
json (SARIF){
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "PipeGuard",
"version": "0.1.0",
"informationUri": "https://pipeguard.dev",
"rules": [
{
"id": "R03",
"name": "NoSecretScanning",
"shortDescription": { "text": "No secret scanning stage" },
"defaultConfiguration": { "level": "error" }
}
]
}
},
"results": [
{
"ruleId": "R03",
"level": "error",
"message": { "text": "No secret scanning stage" },
"locations": [
{
"physicalLocation": {
"artifactLocation": { "uri": ".gitlab-ci.yml" },
"region": { "startLine": 1 }
}
}
]
}
]
}
]
}
SARIF Severity Mapping
| PipeGuard Severity | SARIF Level |
|---|---|
| critical | error |
| high | error |
| medium | warning |
| low | note |
| info | note |
Tip: Use SARIF for CI uploads and JSON for custom dashboards. Terminal format is best for local development.