Code Scanning

Output Formats

xgrep emits human-readable text, Semgrep-compatible JSON, SARIF 2.1.0, a GitLab SAST report, or a CycloneDX 1.6 CBOM.

Output Formats

Text (default)

src/app.py:10:my-rule: Avoid using eval()

JSON

xgrep -f rules.yaml --json src/

JSON output is a Semgrep-compatible ScanReport with a results array. Each result carries check_id, path, start/end positions, and an extra object with message, severity (INFO, WARNING, ERROR), captured metavars, rule metadata (CWE, OWASP, …), and the matched lines. xgrep additionally includes always-on context and remediation guidance per finding. Add --with-overview to prepend a code-graph summary of the scanned tree to the report (schema_version 1.1).

Streaming JSON (NDJSON)

xgrep -f rules.yaml --json --stream src/

--stream turns --json into newline-delimited JSON (NDJSON), emitted as each file is scanned rather than as one document at the end — so editors and tools can render findings while the scan is still running. Each line is a typed envelope:

{"type":"finding","check_id":"…","path":"a.py","start":{},"extra":{}}
{"type":"finding","check_id":"…","path":"b.py","start":{},"extra":{}}
{"type":"summary","findings":2,"files":2,"errors":0}

A finding line carries the same fields as an element of the batch results array, plus a type discriminator. The single trailing summary line closes the stream. Findings are emitted in file-completion order (not path-sorted), already deduplicated and production-scope-filtered per file, so the streamed set matches the batch report. --stream requires --json and cannot be combined with --sarif/--gitlab, --validate, --baseline-commit, --history, or --with-overview.

SARIF

xgrep -f rules.yaml --sarif src/

SARIF 2.1.0 output integrates with GitHub Code Scanning and other SARIF consumers. See CI integration.

GitLab SAST

xgrep -f rules.yaml --gitlab -o gl-sast-report.json src/

GitLab's Vulnerability Report consumes its own Secure SAST format rather than SARIF, so use --gitlab (not --sarif) for GitLab. The report maps each finding to a GitLab vulnerability with a stable id (for cross-scan tracking), a title-cased severity (Critical/High/Medium/Low), a line-based location, and identifiers for the rule plus any CWE/OWASP metadata. Publish it as a reports: sast: artifact in your GitLab CI job. See CI integration.

CBOM (Cryptography Bill of Materials)

A CBOM is a bill of materials, so it is produced by the sbom command rather than as a scan output format:

xgrep sbom --cbom .

This emits a CycloneDX 1.6 Cryptography Bill of Materials — a machine-readable inventory of the cryptographic assets in your code (algorithms, key material, protocols, certificates), enriched with OID, primitive, key size, and classical/post-quantum security levels. It is detected by the scan engine but does not add noise to a normal xgrep scan. See CBOM for the full guide: language/library coverage, the asset and dependency-graph structure, and how to consume the document.

Reporting to Mondoo Platform

The formats above all write locally — to stdout or a file. xgrep additionally uploads findings to Mondoo Platform whenever a Mondoo service account is configured (via xgrep login or a config file), where they attach to the scanned repository as an asset. Reporting is automatic on the repository's default branch, additive (local output is unchanged), and best-effort (a failed upload never fails the scan):

xgrep scan .              # reports automatically when logged in (default branch only)
xgrep scan --incognito .  # local only; upload nothing

See Mondoo Platform for credentials, asset/severity mapping, and CI usage.

On this page