The "CLI finds the problems, the platform fixes them" model is the right shape, and the auto-fix-PR loop is where this becomes genuinely powerful. To let flintai scan live inside every pipeline — not just a terminal — the one thing we kept reaching for was a stable, documented, machine-readable output.
Ask: a --format flag on flintai scan supporting:
sarif (SARIF 2.1.0) — the lingua franca of code scanning, and the direct unlock for GitHub code scanning / Advanced Security: findings surface as inline PR annotations and repo security alerts with zero glue code. GitLab, Azure DevOps, and every SARIF-aware dashboard come along for free.
json — a documented, versioned schema (a schemaVersion field) so downstream tooling can depend on it without breaking on the next release.
Why it matters. A finding a human reads in a terminal is worth one review; the same finding as SARIF is worth every future PR, automatically, right in the reviewer's diff. It's the line between a tool people try once and a tool people wire in and forget about — in the best way. It also composes cleanly with your fix-PR flow: SARIF's fixes and relatedLocations fields can carry exactly what the platform needs to open the remediation. And a stable schema is precisely what lets an ecosystem grow around the tool without pinning to a CLI version — which tends to compound adoption faster than any single feature.
Filed with genuine admiration from the KXCO team (kxco.ai) — building in the same neighbourhood (post-quantum security + AI trust) and rooting for FlintAI.
The "CLI finds the problems, the platform fixes them" model is the right shape, and the auto-fix-PR loop is where this becomes genuinely powerful. To let
flintai scanlive inside every pipeline — not just a terminal — the one thing we kept reaching for was a stable, documented, machine-readable output.Ask: a
--formatflag onflintai scansupporting:sarif(SARIF 2.1.0) — the lingua franca of code scanning, and the direct unlock for GitHub code scanning / Advanced Security: findings surface as inline PR annotations and repo security alerts with zero glue code. GitLab, Azure DevOps, and every SARIF-aware dashboard come along for free.json— a documented, versioned schema (aschemaVersionfield) so downstream tooling can depend on it without breaking on the next release.Why it matters. A finding a human reads in a terminal is worth one review; the same finding as SARIF is worth every future PR, automatically, right in the reviewer's diff. It's the line between a tool people try once and a tool people wire in and forget about — in the best way. It also composes cleanly with your fix-PR flow: SARIF's
fixesandrelatedLocationsfields can carry exactly what the platform needs to open the remediation. And a stable schema is precisely what lets an ecosystem grow around the tool without pinning to a CLI version — which tends to compound adoption faster than any single feature.Filed with genuine admiration from the KXCO team (kxco.ai) — building in the same neighbourhood (post-quantum security + AI trust) and rooting for FlintAI.