docs: add a callout about SARIF exit code behavior (#630)

Signed-off-by: William Woodruff <william@yossarian.net>
2025-12-23 08:47:33 +00:00 · 2025-03-29 01:23:52 +02:00 · 2025-03-29 01:23:52 +02:00 · 67fdebff77
commit 67fdebff77
parent a0c9e5ddae
1 changed files with 17 additions and 0 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@ -455,6 +455,21 @@ jobs:
 For more inspiration, see `zizmor`'s own [repository workflow scan], as well
 as GitHub's example of [running ESLint] as a security workflow.

+!!! important
+
+    When using `--format sarif`, `zizmor` does not use its
+    [exit codes](#exit-codes) to signal the presence of findings. As a result,
+    `zizmor` will always exit with code `0` even if findings are present,
+    **unless** an internal error occurs during the audit.
+
+    As a result of this, the `zizmor.yml` workflow itself will always
+    succeed, resulting in a green checkmark in GitHub Actions.
+    This should **not** be confused with a lack of findings.
+
+    To prevent a branch from being merged with findings present, you can
+    use GitHub's rulesets feature. For more information, see
+    [About code scanning alerts - Pull request check failures for code scanning alerts].
+
 [zizmor package from PyPI]: https://pypi.org/p/zizmor

 [SARIF]: https://sarifweb.azurewebsites.net/
@ -467,6 +482,8 @@ as GitHub's example of [running ESLint] as a security workflow.

 [Advanced Security]: https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security

+[About code scanning alerts - Pull request check failures for code scanning alerts]: https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#pull-request-check-failures-for-code-scanning-alerts
+
 ### Use with GitHub Enterprise

 `zizmor` supports GitHub instances other than `github.com`.