feat: add SARIF output and GitHub Code Scanning upload to self-scan workflow

.github/workflows/self-scan.yml

@@ -40,3 +40,10 @@ jobs:
         with:
           verbose: "true"
           fail-on: high
+          sarif: "true"
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: ${{ github.workspace }}

README.md

@@ -89,7 +89,7 @@ No account. No configuration. No source code leaves your machine.
 - **Offline advisory DB** — sync advisory data ahead of time and scan with zero runtime API calls, designed for enterprise and air-gapped environments
 - **Interactive HTML report** — generate a self-contained dashboard with severity cards, a searchable findings table, and copy-ready fix commands (`--report`)
 - **Auto-fix mode** — apply validated direct dependency fixes and rescan automatically (`--fix`)
-- **CI-ready** — `--fail-on high` exits non-zero on findings at or above a severity threshold; a first-party [GitHub Action](https://github.com/marketplace/actions/cve-lite-cli) is available on the Marketplace
+- **CI-ready** — `--fail-on high` exits non-zero on findings at or above a severity threshold; a first-party [GitHub Action](https://github.com/marketplace/actions/cve-lite-cli) is available on the Marketplace; `--sarif` writes SARIF 2.1.0 output for direct upload to GitHub Code Scanning; `--json` integrates with SIEM tools and dashboards
 - **Minimal footprint** — four runtime dependencies, intentionally kept small for a security tool
 
 ## What it looks like
@@ -132,7 +132,7 @@ CVE Lite CLI fits at every stage of the development workflow, not just CI.
 
 **Local development** — run a scan before opening a PR. The default output is fast and minimal. `--verbose` adds the full fix plan with dependency paths and prioritized remediation commands. `--report` opens an interactive HTML dashboard.
 
-**CI pipelines** — use `--fail-on high` to gate builds on severity. JSON output (`--json`) integrates with SIEM, dashboards, and custom automation. SARIF output (`--sarif`) writes a SARIF 2.1.0 file for direct integration with GitHub Code Scanning and other SARIF-compatible tools.
+**CI pipelines** — use `--fail-on high` to gate builds on severity. JSON output (`--json`) integrates with SIEM, dashboards, and custom automation. SARIF output (`--sarif`) writes a SARIF 2.1.0 file for direct upload to GitHub Code Scanning — findings appear in the Security tab and annotate PRs.
 
 **Restricted and enterprise environments** — sync the advisory database ahead of time with `cve-lite advisories sync`, then scan offline with `--offline`. No runtime outbound calls during the scan. Syncing ~217,065 advisory records completes in under 9 seconds.
 
@@ -143,8 +143,17 @@ CVE Lite CLI fits at every stage of the development workflow, not just CI.
   with:
     verbose: "true"
     fail-on: high
+    sarif: "true"
+
+- name: Upload to GitHub Code Scanning
+  uses: github/codeql-action/upload-sarif@v4
+  if: always()
+  with:
+    sarif_file: ${{ github.workspace }}
 ```
 
+> **Note:** `if: always()` is required on the upload step. Without it, the upload is skipped when `--fail-on` exits non-zero — losing your findings in Code Scanning exactly when they matter most.
+
 CVE Lite CLI scans its own dependencies in CI. See [`self-scan.yml`](https://github.com/OWASP/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
 
 For full CI patterns including offline workflows, git hooks, and scripted automation, see the [CI and Workflow Integration guide](https://owasp.org/cve-lite-cli/docs/ci-integration).
@@ -488,4 +497,4 @@ If CVE Lite CLI helps your release workflow, a [GitHub star](https://github.com/
 
 ## License
 
-MIT
+MIT — built in public and maintained as an OWASP Foundation Project by Sonu Kapoor.

website/docs/index.md

@@ -10,7 +10,7 @@ CVE Lite CLI is designed around short local feedback loops: scan a lockfile, und
 ## Start here
 
 - [Getting Started](./getting-started.md) explains how to get started
-- [Workflow Integration](./workflow-integration.md) explains how to get integrate with CI, GitHub Hooks, Offline mode etc.. 
+- [Workflow Integration](./workflow-integration.md) explains how to integrate with CI, GitHub Actions, GitHub Code Scanning (SARIF upload), git hooks, and offline mode.
 - [Remediation Strategy](./remediation-strategy.md) explains how the CLI chooses direct upgrades, parent updates, and parent upgrades.
 - [Fix Mode Guide](./fix-mode.md) explains the conservative `--fix` workflow.
 - [HTML Vulnerability Report](./html-report.md) explains the local dashboard generated by `--report`.

website/docs/sarif.md

@@ -33,13 +33,18 @@ Upload the SARIF file to GitHub's Security tab using the official action:
   run: cve-lite . --sarif
 
 - name: Upload SARIF to GitHub
-  uses: github/codeql-action/upload-sarif@v3
+  uses: github/codeql-action/upload-sarif@v4
+  if: always()
   with:
-    sarif_file: cve-lite-scan-*.sarif
+    sarif_file: ${{ github.workspace }}
 ```
 
 Findings appear in the **Security → Code scanning** tab and as PR annotations.
 
+:::tip
+Use `if: always()` on the upload step. Without it, the upload is skipped when `--fail-on` causes a non-zero exit — which means you'd lose the findings in Code Scanning exactly when they matter most.
+:::
+
 ## What the SARIF file contains
 
 Each CVE found produces one SARIF result. A package with multiple CVEs produces one result per CVE, allowing per-CVE review and dismissal in GitHub Code Scanning.

website/docs/workflow-integration.md

@@ -109,6 +109,28 @@ jobs:
 
 This repository also uses CVE Lite CLI in its own CI to scan itself. See [`self-scan.yml`](https://github.com/OWASP/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
 
+### With GitHub Code Scanning
+
+Add `sarif: "true"` and an upload step to surface findings in the **Security → Code scanning** tab and as PR annotations:
+
+```yaml
+- uses: actions/checkout@v6
+- uses: OWASP/cve-lite-cli@v1
+  with:
+    fail-on: high
+    sarif: "true"
+
+- name: Upload to GitHub Code Scanning
+  uses: github/codeql-action/upload-sarif@v4
+  if: always()
+  with:
+    sarif_file: ${{ github.workspace }}
+```
+
+:::tip
+`if: always()` is required on the upload step. Without it, the upload is skipped when `--fail-on` causes a non-zero exit — losing your findings in Code Scanning exactly when they matter most.
+:::
+
 ---
 
 ## Offline CI workflow

website/docusaurus.config.ts

@@ -183,7 +183,7 @@ const config: Config = {
           ],
         },
       ],
-      copyright: `CVE Lite CLI is MIT licensed, built in public, and maintained as an OWASP Foundation Project.`,
+      copyright: `CVE Lite CLI is MIT licensed, built in public, and maintained as an OWASP Foundation Project by Sonu Kapoor.`,
     },
     prism: {
       theme: prismThemes.github,