What is the difference between SARIF, Nessus XML, Burp XML, and CSV scanner output?

Each format encodes findings against a different surface and at a different fidelity. SARIF (Static Analysis Results Interchange Format) is the OASIS standard most often emitted by code analysis tools (SAST, SCA, IaC scanners) and carries rule identifiers, code locations, and trace flows. Nessus XML (.nessus) is Tenable’s native format for network and infrastructure findings, with plugin identifiers, host/port references, and risk factor metadata. Burp XML is the export format used by PortSwigger Burp Suite for web application findings, with request/response evidence per issue. CSV is the lowest-fidelity option that almost every scanner can emit, but it loses structured evidence and forces the importer to map columns to fields. The format choice constrains what evidence survives the import; pick formats that preserve the structured signals the scanner already captured rather than flattening them at export.

When should you use SARIF instead of a tool-native format?

SARIF is the right choice when the producer is a code-analysis tool that already emits SARIF (Semgrep, CodeQL, ESLint security plugins, many SCA tools) and the consumer is a system that understands SARIF. The format carries enough structure to reconstruct the rule, the affected location, the data flow, and the suppression history without bespoke parsing. SARIF is the wrong choice when the producer is a network scanner, a DAST scanner, or a manual-test tool that emits richer native data; converting those outputs to SARIF often loses fields. The pragmatic discipline is using the producer’s richest format on import and only converting at the boundary where the consumer demands a different format.

What information does a Nessus .nessus export carry that a CSV export does not?

A Nessus XML export carries the full per-host plugin output, including plugin identifier, plugin family, plugin name, severity score, CVSS vector, port and protocol per finding, the raw output that the plugin produced (banner, response, evidence string), the host fingerprint (OS, MAC, FQDN), and the scan policy that produced the finding. The CSV export of the same scan flattens this to a row per host plus plugin, drops the raw output unless the export template includes it, and loses the policy reference. For triage, the .nessus export gives a tester enough to reproduce or refute the finding; the CSV export forces the tester back to the scanner UI to recover the evidence the importer needs.

How does Burp Suite XML export compare to a Burp Issue JSON export?

Burp’s XML export from Professional/Enterprise carries the issue type, severity and confidence, host, location, request, response, and remediation guidance per issue. The JSON output (where supported by the version and config) carries the same payload in a more programmatically convenient structure. Both preserve the request/response pair that is load-bearing for any web application finding; this is the difference between a finding that a client can reproduce and a finding that needs the tester to redo the proof. Older Burp installations and free editions vary in what they expose; the rule of thumb is that whichever export retains the request/response is the one that holds up at delivery.

How do you handle CSV imports without losing evidence?

CSV is unavoidable for tools that do not emit a structured native format, and for ad-hoc handovers between teams. The discipline is treating CSV as a structured record with explicit column-to-field mapping and a rule for what each column contains. The mapping table records which columns map to title, description, severity, asset, trigger, and evidence. Multi-line evidence often needs a delimiter convention (line breaks within quoted cells, or a separate evidence file referenced by row). Severity strings need a normalisation rule (Critical/High/Medium/Low to a numeric scale). The rows that the mapping cannot resolve become drafts in the workspace pending manual review rather than getting silently coerced. The failure mode is silent loss; the discipline is explicit mapping with a fall-through to manual review.

Is there a single best format to standardise on across an entire programme?

No. Each scanner class has a native format that captures its evidence best, and forcing every tool through one intermediate format usually loses fidelity somewhere. The pragmatic standardisation point is the consolidated finding record inside the workflow, not the import format. Each tool exports in the format that retains its evidence, the importer maps each format to the consolidated record using a stable schema, and the consolidated record is the single source of truth for the engagement. SARIF is the closest thing to a universal format for code analysis output; for network and DAST output, native formats remain richer. Standardise on the consumer side rather than on the producer side.

How should you think about format choice when planning a multi-tool engagement?

Decide the import path before the scan runs. For each tool the engagement uses, the engagement plan records which export format the tool will emit, which fields that format carries, and how those fields map to the findings record. Tools that emit only CSV need an explicit column convention agreed before the scan. Tools that emit both SARIF and a native format need a decision about which is canonical for the engagement. The same discipline applies to manual testing notes: the format used to ship them into the workflow matters because the consolidated record inherits whatever the import preserved. Decisions made under engagement pressure tend to default to CSV; decisions made in planning tend to preserve the richer signal.

← Back to Scanner Information

Scanner guide11 min read

Scanner Output Formats: SARIF, Nessus, Burp, CSV, and JSON

The format a scanner emits decides how much evidence survives the trip into your findings record. SARIF, Nessus XML, Burp XML, CSV, and tool-specific JSON each encode findings at a different fidelity. The choice is not cosmetic: a CSV export of a Nessus scan loses the plugin output that made the finding reproducible; a SARIF export of a network scan loses the host context the SARIF schema cannot represent.

This guide covers how the major scanner output formats differ, what each one preserves, where each one drops fields, and how to plan format choice across a multi-tool engagement so the import preserves the evidence the consolidated finding actually needs.

Why format choice matters

A finding survives delivery only if the evidence behind it survives the import. A scanner that produced a clean reproduction at scan time loses that signal if the export drops the request/response pair or the plugin output. The downstream cost is a tester redoing the proof under engagement pressure or a finding shipping without the verification trail an auditor can follow. The format choice sits at the boundary between detection and delivery; treating it as an afterthought collapses the rest of the workflow into manual recovery.

Three structural realities shape format choice. First, every scanner class emits a native format that captures its detection signal best. Second, every consumer (a findings record, a SIEM, a ticketing system) reads a subset of those formats and maps them to its own schema. Third, the gap between native fidelity and consumer schema is where evidence drops out. The discipline is choosing the format that minimises that gap for each tool, not standardising every tool through one lossy intermediate.

The major scanner output formats

Five formats cover the majority of scanner output a programme will see. The table below lists what each format encodes natively and where each one tends to lose information when used outside its origin tool.

Format	Native to	Captures	Drops or struggles with
SARIF	SAST, SCA, IaC, code analysis (Semgrep, CodeQL, many linters)	Rule identifiers, file/line locations, code flow traces, fingerprints, suppression history	Network host/port context, runtime request/response evidence, deep DAST replay data
Nessus XML (.nessus)	Tenable Nessus, Tenable.io, Tenable.sc	Plugin identifier, plugin output, host fingerprint, port/protocol, CVSS, scan policy	Code-level locations, web application request/response chains beyond plugin output
Burp XML / JSON	PortSwigger Burp Suite Professional and Enterprise	Issue type, severity, confidence, request/response pair, location, remediation text	Network-layer findings, code-level traces, assets outside the proxy scope
Tool-specific JSON	Many DAST/SCA tools, custom scripts, internal tooling	Whatever the producer chose to encode; usually richer than CSV, often less standard than SARIF	Cross-tool comparability without a documented schema; fields drift between tool versions
CSV	Almost every scanner as a fallback export	Title, severity, asset, basic description if the export template includes it	Multi-line evidence, request/response pairs, structured fields, anything the column convention does not capture

None of the formats is strictly better than the others. SARIF wins for code analysis because the schema was designed for code locations and rule traces. Nessus XML wins for network output because it carries plugin output that no general format standardises. Burp XML wins for web application findings because it preserves the request/response pair. CSV wins on universality and loses on fidelity. The right format is the producer’s richest format that the consumer can read.

SARIF: when to use it and when not

SARIF is the OASIS standard for static analysis output. It carries enough structure to represent the rule that fired, the file and line where the issue lives, the data flow that triggered detection, the fingerprint that identifies the issue across runs, and the suppression history. Tools that emit SARIF natively include Semgrep, CodeQL, many ESLint security plugins, and a growing set of SCA scanners.

Use SARIF when

The producer is a code analysis tool that emits SARIF natively, the consumer understands SARIF, and the evidence the schema captures (rule, location, flow, fingerprint) is what the workflow needs. Most modern SAST and SCA imports fall into this case.

Avoid SARIF when

The producer is a network scanner, a DAST scanner, or a manual-test tool whose native output carries fields SARIF does not represent natively. Forcing a Nessus or Burp export through SARIF flattens host context, plugin output, or request/response pairs that the receiving workflow actually needs.

Watch for partial SARIF

Some tools emit SARIF that omits flow traces, suppressions, or fingerprints to stay within size limits or to preserve compatibility with older consumers. Verify that the SARIF export includes the fields the workflow expects before relying on it as the canonical handover format.

Nessus and Burp Suite native exports

Network and web application scanners are the two cases where native formats most consistently outperform any general intermediate. The discipline is using the native export at import time and converting only when the consumer cannot read the native format directly.

Nessus .nessus XML

The .nessus export is the canonical format for Tenable scanners. It carries the plugin identifier, plugin family, plugin output (the raw text the plugin produced during the scan), severity score, CVSS vector, host fingerprint, port and protocol, and scan policy. The plugin output is what makes a finding reproducible in triage; an export that drops it forces a tester back to the scanner UI to recover evidence the importer should have preserved.

Burp XML and Burp JSON

Burp’s exports preserve the request/response pair per issue, which is the evidence base for any web application finding. The XML format is supported broadly; the JSON format is more convenient for programmatic ingest where the version supports it. Either is preferable to a CSV export, which strips the request/response pair and forces the importer to map ad-hoc columns.

Authenticated vs unauthenticated context

Native exports carry the auth context the scan ran under (anonymous, basic auth, session token, scoped credential). That context is part of the finding’s reproducibility because a vulnerability reachable only under authentication has a different remediation conversation than one reachable anonymously. CSV exports drop this metadata; native exports preserve it.

CSV imports without silent loss

CSV remains the format of last resort for tools without a structured export, for handovers between teams that do not share tooling, and for ad-hoc data captured in spreadsheets. The discipline is treating CSV as a structured handover with an explicit column convention rather than as an opaque dump that the importer hopes to interpret.

Document the column convention up front: which column maps to title, severity, asset, trigger, evidence, fix location, and tool-native identifier. The convention lives alongside the engagement, not inside the importer.
Normalise severity strings: Critical/High/Medium/Low maps to a numeric scale at import. The mapping table is recorded so that downstream severity comparisons remain anchored to verified thresholds rather than tool-local language.
Preserve multi-line evidence: wrap fields that contain line breaks in quotes per the CSV spec, or store evidence in a separate file referenced by row. The failure mode is evidence cells getting truncated at the first newline.
Fall through to manual review: rows that the column convention cannot resolve land as drafts pending manual triage. The alternative is silent coercion that ships malformed findings into the record.
Keep the source CSV attached to the import: even after the rows are parsed and merged into findings, the original file stays attached so the audit trail walks back to the source export.

CSV is not the enemy. CSV without a column convention is. The discipline that turns a CSV into a defensible import is documented, reviewed, and reproducible mapping; the same discipline that any other format earns by design.

Planning format choice across an engagement

Format decisions made under engagement pressure tend to default to CSV because it is the one format every tool can produce and every consumer can open. That default is the source of most evidence loss in scanner imports. Planning the import path before the scan runs is what avoids the default.

Per-tool format decision

For each scanner the engagement uses, the plan records the export format that will be used, the fields it carries, and the consumer that will read it. The decision is made once per engagement rather than improvised per scan.

Schema mapping per format

The mapping from each format to the consolidated finding record lives in a durable document, not in the importer’s memory. The same mapping serves the next engagement that uses the same tool, so the import path is reusable rather than rebuilt every time.

Manual testing notes

Manual findings ship into the workflow through whatever format preserves the evidence the tester gathered: screenshots, request/response captures, command output, code references. The format that captures that evidence varies by issue; the discipline is choosing the format per finding rather than forcing all manual output through one template.

Conversion at the boundary

When a downstream consumer demands a specific format that the producer does not emit natively, the conversion runs once at the boundary and the original native export stays attached as evidence. The consolidated record references both so the audit trail does not break at the conversion step.

Common format anti-patterns

Three patterns recur in programmes that ship scanner output through ad-hoc imports. Each one creates a recoverable failure mode that compounds across the engagement until someone fixes the input convention rather than the output.

CSV-only by default: every tool exports CSV regardless of what richer format the tool offers, because CSV is universal. The evidence lost at export is not recoverable; the importer cannot reconstruct what the CSV did not encode.
Format pinned to the wrong tool: SARIF forced on a Nessus export, or Nessus XML forced on a SAST tool. The schema cannot represent the evidence; the import succeeds but the finding ships without the fields the consumer needs.
Lossy conversion at import: the importer normalises every format to a common intermediate that drops fields the original format carried. The intermediate looks clean; the finding has lost the evidence that made it reproducible.

The shared root cause is treating import as a step that has to succeed rather than as a step that has to preserve. Imports that succeed without preservation produce findings that fail at delivery; imports that preserve evidence produce findings that survive audit.

How SecPortal handles format imports

SecPortal accepts scanner output as draft findings against the engagement. Native imports parse Nessus XML and Burp Suite exports for plugin or issue identifier, severity, asset, trigger, and per-finding evidence. CSV imports use a column-mapping step that resolves each column to a finding field, with a fall-through to manual review for rows the convention cannot resolve. Each draft surfaces in the workspace for triage rather than landing as a finished finding.

The scanner result triage workflow covers the import-to-triage cycle that turns raw scanner output into a workflow-ready record. The bulk finding import workflow covers high-volume cases where output crosses tools and formats. The findings management feature keeps the originating format and tool identifier attached to the consolidated record so the audit trail walks back to the source export.

Once the formats are imported, the next discipline is collapsing duplicates without losing evidence. The scanner output deduplication guide covers how to merge findings across formats and tools while preserving the per-source evidence each export carried. For the upstream coverage envelope, the scanner coverage and limits guide covers what each scanner class actually finds and where formats start losing information. For the triage discipline that runs alongside import, the scanner false positives guide covers how to validate findings before they leave the draft state.

The branded client portal surfaces the consolidated findings to the client. Raw scanner output stays in the workspace; the report represents verified findings backed by the per-format evidence each import preserved.

An import-ready format checklist

Before the scan runs

Pick the export format per tool and record it in the engagement plan.
Verify the export carries the fields the consumer needs (request/response, plugin output, code locations).
Document the column convention if CSV is unavoidable for any tool.
Confirm the consumer can parse each chosen format without lossy conversion.

At export

Use the producer’s richest format that the consumer can read.
Include the scan policy reference so the import knows what scope produced the finding.
Preserve auth context (anonymous vs authenticated) on the export.
Keep the original export file attached as the source of truth for audit.

At import

Each row, issue, or result lands as a draft, not as a finished finding.
Tool-native identifier, format, and timestamp stay attached for traceability.
Rows that the column convention cannot resolve fall through to manual review.
Severity normalises to the consolidated scale with the original value preserved.

After import

Triage decides merge, link as related, or keep separate per draft.
Consolidated record references the originating format and identifier per source.
Conversions to downstream formats run at the consumer boundary, not at import.
The original export stays attached so audit walks back to the source.

Vulnerability classes where format choice bites hardest

Some classes lose more evidence under format choices than others, because the proof depends on a request, a packet, or a code path that not every format can carry. The pages below cover the classes most often degraded by lossy exports.

SQL injection: DAST detection depends on request/response evidence; CSV exports drop the proof.
Cross-site scripting: reflected and stored XSS evidence is the request/response pair; native Burp exports preserve it where CSV does not.
Vulnerable dependencies: SCA findings carry package, version, advisory, and file references; SARIF preserves the location chain that CSV flattens.
TLS/SSL misconfiguration: Nessus plugin output records the cipher and certificate detail; CSV exports often keep only the title.
Missing security headers: header detection is high volume; native exports cluster per asset, while CSV fragments them across rows.

For the analytical view of how unverified or evidence-thin findings drive retest volume, the pentest retest economics research covers how the input fidelity compounds across the engagement. For severity scoring on imported findings, the severity calibration research covers how to anchor scores to verified evidence rather than to whichever export preserved the most.

Scope and limitations

Format choice cannot recover evidence the producer never captured. A scanner that does not record request/response data cannot produce a Burp-equivalent export regardless of the wrapper. A scanner that does not maintain stable rule identifiers cannot produce SARIF that survives version changes. The leverage point is choosing tools whose native output already records the evidence the workflow needs and then preserving that evidence at export.

Formats also drift across tool versions. A SARIF schema field that ships in version N may be missing in version N+1; a Nessus plugin output structure may change between major releases. The pragmatic discipline is documenting the producer version alongside the format choice, so that a future reader of the export knows which schema variant generated the file.

For the operational step that turns these formats into structured findings on the engagement record, the guide to importing third-party scanner results covers the parsers for Nessus, Burp Suite, and CSV, the severity normalisation across scanner scales, the CSV column mapping decision, and the post-import triage that promotes drafts into canonical findings.

Frequently Asked Questions

Import scanner output without losing the evidence behind it

SecPortal accepts Nessus, Burp Suite, and CSV imports as draft findings, preserves the originating format and identifier on the consolidated record, and surfaces the triage workflow that turns raw output into a verified findings record.

Start free See bulk import workflow