Output Formats
xgrep emits human-readable text, Semgrep-compatible JSON, SARIF 2.1.0, a GitLab SAST report, or a CycloneDX 1.6 CBOM.
Output Formats
Text (default)
src/app.py:10:my-rule: Avoid using eval()JSON
xgrep -f rules.yaml --json src/JSON output is a Semgrep-compatible ScanReport with a results array. Each result
carries check_id, path, start/end positions, and an extra object with
message, severity (INFO, WARNING, ERROR), captured metavars, rule metadata
(CWE, OWASP, …), and the matched lines. xgrep additionally includes always-on
context and remediation guidance per finding. Add --with-overview to prepend
a code-graph summary of the scanned tree to the report (schema_version 1.1).
Streaming JSON (NDJSON)
xgrep -f rules.yaml --json --stream src/--stream turns --json into newline-delimited JSON (NDJSON), emitted as each
file is scanned rather than as one document at the end — so editors and tools can
render findings while the scan is still running. Each line is a typed envelope:
{"type":"finding","check_id":"…","path":"a.py","start":{…},"extra":{…}}
{"type":"finding","check_id":"…","path":"b.py","start":{…},"extra":{…}}
{"type":"summary","findings":2,"files":2,"errors":0}A finding line carries the same fields as an element of the batch results
array, plus a type discriminator. The single trailing summary line closes the
stream. Findings are emitted in file-completion order (not path-sorted), already
deduplicated and production-scope-filtered per file, so the streamed set matches
the batch report. --stream requires --json and cannot be combined with
--sarif/--gitlab, --validate, --baseline-commit, --history, or
--with-overview.
SARIF
xgrep -f rules.yaml --sarif src/SARIF 2.1.0 output integrates with GitHub Code Scanning and other SARIF consumers. See CI integration.
GitLab SAST
xgrep -f rules.yaml --gitlab -o gl-sast-report.json src/GitLab's Vulnerability Report consumes its own Secure SAST format rather than
SARIF, so use --gitlab (not --sarif) for GitLab. The report maps each finding
to a GitLab vulnerability with a stable id (for cross-scan tracking), a
title-cased severity (Critical/High/Medium/Low), a line-based location, and
identifiers for the rule plus any CWE/OWASP metadata. Publish it as a
reports: sast: artifact in your GitLab CI job. See
CI integration.
CBOM (Cryptography Bill of Materials)
A CBOM is a bill of materials, so it is produced by the sbom
command rather than as a scan output format:
xgrep sbom --cbom .This emits a CycloneDX 1.6
Cryptography Bill of Materials — a machine-readable inventory of the cryptographic
assets in your code (algorithms, key material, protocols, certificates), enriched
with OID, primitive, key size, and classical/post-quantum security levels. It is
detected by the scan engine but does not add noise to a normal xgrep scan. See
CBOM for the full guide: language/library coverage, the asset
and dependency-graph structure, and how to consume the document.
Reporting to Mondoo Platform
The formats above all write locally — to stdout or a file. xgrep additionally
uploads findings to Mondoo Platform whenever a Mondoo service account is configured
(via xgrep login
or a config file), where they attach to the scanned repository as an asset.
Reporting is automatic on the repository's default branch, additive (local output
is unchanged), and best-effort (a failed upload never fails the scan):
xgrep scan . # reports automatically when logged in (default branch only)
xgrep scan --incognito . # local only; upload nothingSee Mondoo Platform for credentials, asset/severity mapping, and CI usage.