The Wayback Machine - https://web.archive.org./web/20201026134711/https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/integrating-with-code-scanning

Explore by product

GitHub.com
English
Article version: Free, Pro, and Team
Free, Pro, and Team Enterprise Server 2.22
Article version: Free, Pro, and Team
Free, Pro, and Team Enterprise Server 2.22

Integrating with code scanning

You can integrate third-party code analysis tools with GitHub code scanning by uploading data as SARIF files.

Code scanning is available in public repositories, and in private repositories owned by organizations with an Advanced Security license. For more information, see "GitHub's products."

Did this doc help you?

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.

About integration with code scanning

You can perform code scanning externally and then display the results in GitHub, or set up webhooks that listen to code scanning activity in your repository.

Uploading a SARIF file to GitHub

You can upload SARIF files generated outside GitHub and see code scanning alerts from third-party tools in your repository.

SARIF support for code scanning

To display results from a third-party static analysis tool in your repository on GitHub, you'll need your results stored in a SARIF file that supports a specific subset of the SARIF 2.1.0 JSON schema for code scanning. If you use the default CodeQL static analysis engine, then your results will display in your repository on GitHub automatically.

Did this doc help you?

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.

Still need help?

Ask the GitHub community Contact support

Product

Platform

Support

Company