Output Formats

Text (default)

src/app.py:10:my-rule: Avoid using eval()

JSON

xgrep -f rules.yaml --json src/

JSON output is a Semgrep-compatible ScanReport with a results array. Each result carries check_id, path, start/end positions, and an extra object with message, severity (INFO, WARNING, ERROR), captured metavars, rule metadata (CWE, OWASP, …), and the matched lines. xgrep additionally includes always-on context and remediation guidance per finding. Add --with-overview to prepend a code-graph summary of the scanned tree to the report (schema_version 1.1).

SARIF

xgrep -f rules.yaml --sarif src/

SARIF 2.1.0 output integrates with GitHub Code Scanning and other SARIF consumers. See CI integration.

GitLab SAST

xgrep -f rules.yaml --gitlab -o gl-sast-report.json src/

GitLab's Vulnerability Report consumes its own Secure SAST format rather than SARIF, so use --gitlab (not --sarif) for GitLab. The report maps each finding to a GitLab vulnerability with a stable id (for cross-scan tracking), a title-cased severity (Critical/High/Medium/Low), a line-based location, and identifiers for the rule plus any CWE/OWASP metadata. Publish it as a reports: sast: artifact in your GitLab CI job. See CI integration.