Output Formats

VaultGuard supports four output modes for scan results: condensed human (default), verbose human, JSON, and SARIF.

Human (Default)

The default output shows the top 5 findings by severity, one line each, followed by a compact summary.

vaultguard scan

  CRITICAL   AWS access key detected src/config.py:15
  HIGH       GitHub token detected .env:3
  HIGH       CVE-2024-1234 in lodash@4.17.20 package.json:8
  MEDIUM     Debug mode enabled in production settings.py:42
  MEDIUM     Hardcoded database password db.conf:7

  +8 more issues

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
13 issues found (1 critical, 2 high, 4 medium, 6 low)
Files scanned: 847 | Skipped: 12 | Duration: 2.3s

Results saved to .vaultguard/results/latest.json
Run vaultguard fix for remediation steps.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

When no findings are detected:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
No issues found.
Files scanned: 847 | Skipped: 12 | Duration: 1.8s
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

If findings were suppressed (via baseline or inline comments), the summary includes those counts:

Files scanned: 847 | Skipped: 12 | Duration: 2.3s
23 suppressed | 4 filtered

Verbose Human

Add -v for the full per-finding output with grouped summary sections, remediation tips, and code snippets.

vaultguard scan -v

Each finding is printed as it is discovered. The summary groups findings by type (Secrets, Vulnerabilities, Misconfigurations, Quality Issues, Integrity Violations), lists them by file, and includes inline remediation advice per section.

Verbosity levels

-v shows info-level detail. -vv enables debug logging (useful for understanding scan internals). -vvv enables trace logging (very noisy, mainly for bug reports).

JSON

Machine-readable output with all findings and scan statistics.

vaultguard scan --json

Or equivalently:

vaultguard scan --format json

The JSON output is written to stdout. All human-readable status messages (spinner, summary) go to stderr, so piping works cleanly:

vaultguard scan --json | jq '.findings | length'

stdout vs stderr separation

Human status messages (progress, summary) go to stderr. Structured data (JSON, SARIF) goes to stdout. This lets you pipe JSON to jq or redirect to a file without capturing status noise.

Structure:

{
  "findings": [
    {
      "finding_type": "Secret",
      "severity": "Critical",
      "message": "AWS access key detected",
      "file_path": "src/config.py",
      "line_number": 15,
      "snippet": "AKIAIOSFODNN7EXAMPLE",
      "provider": "aws",
      "suppressed": false
    }
  ],
  "stats": {
    "files_scanned": 847,
    "files_skipped": 12,
    "duration": 2.3,
    "findings_suppressed": 0,
    "findings_filtered": 0
  }
}

SARIF

Static Analysis Results Interchange Format for integration with GitHub Code Scanning, VS Code SARIF Viewer, and other tools that consume SARIF.

vaultguard scan --sarif

Or:

vaultguard scan --format sarif

Write directly to a file for upload:

vaultguard scan --sarif --output results.sarif

GitHub Code Scanning integration

Upload SARIF results using the github/codeql-action/upload-sarif@v3 action. Findings appear as annotations directly on pull request diffs. See CI/CD Integration for a complete workflow example.

Writing to a File

Use --output to write results to a file instead of stdout:

vaultguard scan --json --output results.json
vaultguard scan --sarif --output results.sarif

When --output is used, the results file path is printed to stderr:

Results written to results.json

Auto-Save

In the default human output mode, VaultGuard automatically saves scan results to .vaultguard/results/latest.json when findings are present. This file is used by vaultguard fix for remediation.

Auto-save is skipped when:

• Output format is JSON or SARIF
• --output flag is used (results already written to a specific file)
• No findings were detected

The auto-saved file has chmod 600 permissions. VaultGuard warns if .vaultguard/ is not in your .gitignore.

Format Selection Summary

Mode	Flag	Stdout	Use Case
Condensed human	(default)	nothing (stderr only)	Developer terminal
Verbose human	-v	nothing (stderr only)	Detailed investigation
JSON	--json or --format json	JSON document	CI parsing, scripting
SARIF	--sarif or --format sarif	SARIF document	GitHub Code Scanning, IDE integration

Disabling Color

Set the NO_COLOR environment variable to disable terminal colors in human output:

NO_COLOR=1 vaultguard scan

NO_COLOR convention

VaultGuard follows the no-color.org convention. Any non-empty value for NO_COLOR disables colored output. This is useful in CI environments or when piping to log files.