check and the scanners can produce, and the languages
and file types MergeGuide checks.
Check output formats
mergeguide check supports these formats via --format:
| Format | Use it for |
|---|---|
text | Human-readable terminal output. The default. |
json | Programmatic consumption and custom tooling. |
sarif | Code-scanning dashboards and security platforms (GitHub code scanning, etc.). |
markdown | Pasting a report into a PR comment or document. |
Scanner output formats
mergeguide scan vuln and mergeguide scan iac support text, json, and
sarif:
SBOM formats
mergeguide sbom generate produces these SBOM formats:
| Format | Standard |
|---|---|
cyclonedx-json | CycloneDX 1.5 |
cyclonedx-xml | CycloneDX 1.5 |
spdx-json | SPDX 2.3 |
spdx-tag-value | SPDX 2.3 |
Supported languages
MergeGuide checks source files in a range of common languages, including:| Language | Example extensions |
|---|---|
| Python | .py, .pyw, .pyi |
| JavaScript | .js, .jsx, .mjs, .cjs |
| TypeScript | .ts, .tsx |
| Java | .java |
| Go | .go |
| Rust | .rs |
| Ruby | .rb |
| PHP | .php |
| C# | .cs |
| C / C++ | .c, .h, .cpp, .hpp, .cc |
| Swift | .swift |
| Kotlin | .kt, .kts |
| Scala | .scala |
| Shell | .sh, .bash, .zsh |
Infrastructure-as-code
The IaC scanner (scan iac) supports Terraform, CloudFormation,
Kubernetes, and Helm. See Running scans.
Language and IaC support evolves. If a language you need isn’t listed, confirm
current coverage against the running CLI before relying on it.
Next steps
Running scans
Produce these outputs.
CI/CD patterns
Feed SARIF into your pipeline.