Tool integration

Biome Integration Guide

Fast JavaScript/TypeScript toolchain with native SARIF output

Get a Free API Key

Integrate Biome with Vulnetix. Format, lint, and check JS/TS/JSX/TSX/CSS code with SARIF 2.1.0 output for security and quality findings.

CLI toolSARIF

Install & scan

$ npx @biomejs/biome --version
$ npx @biomejs/biome lint --reporter=sarif --reporter-file=biome.sarif .

Run Biome in CI

Scan on every push and upload the results to Vulnetix:

- name: Run Biome
  run: npx @biomejs/biome ci --reporter=sarif --reporter-file=biome.sarif .
- name: Upload to Vulnetix
  run: vulnetix upload --file biome.sarif

How Vulnetix compares — better together

Vulnetix does not replace Biome. Keep running it. Vulnetix sits on top of Biome — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixBiome
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation~ Correctness/suspicious rules and rules like noGlobalEval flag some unsafe JS/TS patterns; core focus is lint+format code quality, not security scanning
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Biome does well

Where Vulnetix adds to it: Vulnetix ingests Biome's SARIF into its unified queue, dedups JS/TS code findings against SCA, secrets and container results, and layers exploit-intel prioritisation, reachability, versioned VEX and autofix policy on top. Vulnetix's built-in SAST plus Semgrep provides the deeper security-rule coverage while Biome stays the fast language-native lint/format toolchain it never replaces.

No migration, no rip-and-replace. Biome keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Biome results in Vulnetix

Upload Biome SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Biome documentation ↗  ·  Source repository ↗

Wire Biome into your CI/CD pipeline →