Search
K
GitHub v3 REST API

List code scanning alerts for a repository

Lists all open code scanning alerts for the default branch (usually main
or master). You must use an access token with the security_events scope to use
this endpoint. GitHub Apps must have the security_events read permission to use
this endpoint.

The response includes a most_recent_instance object.
This provides details of the most recent instance of this alert
for the default branch or for the specified Git reference
(if you used ref in the request).

get
http://HOSTNAME/api/v3/repos/{owner}/{repo}/code-scanning/alerts

Query Parameters

tool_namestring

The name of the tool used to generate the code scanning analysis.

tool_guidstring | null

The GUID of the tool used to generate the code scanning analysis, if provided in the uploaded SARIF data.

pageinteger

Page number of the results to fetch.

Default:1

per_pageinteger

Results per page (max 100)

Default:30

refstring

The full Git reference, formatted as refs/heads/<branch name>,
refs/pull/<number>/merge, or refs/pull/<number>/head.

statestring

State of a code scanning alert.

Allowed values:opencloseddismissedfixed

Path Parameters

ownerstringrequired
repostringrequired

Response

application/json

Response

numberintegerrequiredread-only

The security alert number.

created_atstring(date-time)requiredread-only

The time that the alert was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

urlstring(uri)requiredread-only

The REST API URL of the alert resource.

html_urlstring(uri)requiredread-only

The GitHub URL of the alert resource.

instances_urlstring(uri)requiredread-only

The REST API URL for fetching the list of instances for an alert.

statestringrequired

State of a code scanning alert.

Allowed values:opencloseddismissedfixed

dismissed_byobject | nullrequired

Simple User

Show Child Parameters
dismissed_atstring | null(date-time)requiredread-only

The time that the alert was dismissed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

dismissed_reasonstring | nullrequired

Required when the state is dismissed. The reason for dismissing or closing the alert. Can be one of: false positive, won't fix, and used in tests.

Allowed values:false positivewon't fixused in tests

ruleobjectrequired
Show Child Parameters
toolobjectrequired
Show Child Parameters
most_recent_instanceobjectrequired
Show Child Parameters
get/repos/{owner}/{repo}/code-scanning/alerts
 
application/json

Get a code scanning alert

Gets a single code scanning alert. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.

Deprecation notice:
The instances field is deprecated and will, in future, not be included in the response for this endpoint. The example response reflects this change. The same information can now be retrieved via a GET request to the URL specified by instances_url.

get
http://HOSTNAME/api/v3/repos/{owner}/{repo}/code-scanning/alerts/{alert_number}

Path Parameters

ownerstringrequired
repostringrequired
alert_numberintegerrequiredread-only

The security alert number.

Response

application/json

Response

code-scanning-alert

numberintegerrequiredread-only

The security alert number.

created_atstring(date-time)requiredread-only

The time that the alert was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

urlstring(uri)requiredread-only

The REST API URL of the alert resource.

html_urlstring(uri)requiredread-only

The GitHub URL of the alert resource.

instances_urlstring(uri)requiredread-only

The REST API URL for fetching the list of instances for an alert.

statestringrequired

State of a code scanning alert.

Allowed values:opencloseddismissedfixed

dismissed_byobject | nullrequired

Simple User

Show Child Parameters
dismissed_atstring | null(date-time)requiredread-only

The time that the alert was dismissed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

dismissed_reasonstring | nullrequired

Required when the state is dismissed. The reason for dismissing or closing the alert. Can be one of: false positive, won't fix, and used in tests.

Allowed values:false positivewon't fixused in tests

ruleobjectrequired
Show Child Parameters
toolobjectrequired
Show Child Parameters
most_recent_instanceobjectrequired
Show Child Parameters
instancesDEPRECATED
get/repos/{owner}/{repo}/code-scanning/alerts/{alert_number}
 
application/json

Update a code scanning alert

Updates the status of a single code scanning alert. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events write permission to use this endpoint.

patch
http://HOSTNAME/api/v3/repos/{owner}/{repo}/code-scanning/alerts/{alert_number}

Path Parameters

ownerstringrequired
repostringrequired
alert_numberintegerrequiredread-only

The security alert number.

Body

application/json
statestringrequired

Sets the state of the code scanning alert. Can be one of open or dismissed. You must provide dismissed_reason when you set the state to dismissed.

Allowed values:opendismissed

dismissed_reasonstring | null

Required when the state is dismissed. The reason for dismissing or closing the alert. Can be one of: false positive, won't fix, and used in tests.

Allowed values:false positivewon't fixused in tests

Response

application/json

Response

code-scanning-alert

numberintegerrequiredread-only

The security alert number.

created_atstring(date-time)requiredread-only

The time that the alert was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

urlstring(uri)requiredread-only

The REST API URL of the alert resource.

html_urlstring(uri)requiredread-only

The GitHub URL of the alert resource.

instances_urlstring(uri)requiredread-only

The REST API URL for fetching the list of instances for an alert.

statestringrequired

State of a code scanning alert.

Allowed values:opencloseddismissedfixed

dismissed_byobject | nullrequired

Simple User

Show Child Parameters
dismissed_atstring | null(date-time)requiredread-only

The time that the alert was dismissed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

dismissed_reasonstring | nullrequired

Required when the state is dismissed. The reason for dismissing or closing the alert. Can be one of: false positive, won't fix, and used in tests.

Allowed values:false positivewon't fixused in tests

ruleobjectrequired
Show Child Parameters
toolobjectrequired
Show Child Parameters
most_recent_instanceobjectrequired
Show Child Parameters
instancesDEPRECATED
patch/repos/{owner}/{repo}/code-scanning/alerts/{alert_number}

Body

{ "state": "dismissed", "dismissed_reason": "false positive" }
 
application/json

List code scanning analyses for a repository

Lists the details of all code scanning analyses for a repository,
starting with the most recent.
The response is paginated and you can use the page and per_page parameters
to list the analyses you’re interested in.
By default 30 analyses are listed per page.

The rules_count field in the response give the number of rules
that were run in the analysis.
For very old analyses this data is not available,
and 0 is returned in this field.

You must use an access token with the security_events scope to use this endpoint.
GitHub Apps must have the security_events read permission to use this endpoint.

Deprecation notice:
The tool_name field is deprecated and will, in future, not be included in the response for this endpoint. The example response reflects this change. The tool name can now be found inside the tool field.

get
http://HOSTNAME/api/v3/repos/{owner}/{repo}/code-scanning/analyses

Query Parameters

tool_namestring

The name of the tool used to generate the code scanning analysis.

tool_guidstring | null

The GUID of the tool used to generate the code scanning analysis, if provided in the uploaded SARIF data.

pageinteger

Page number of the results to fetch.

Default:1

per_pageinteger

Results per page (max 100)

Default:30

refstring

The full Git reference, formatted as refs/heads/<branch name>,
refs/pull/<number>/merge, or refs/pull/<number>/head.

sarif_idstring

An identifier for the upload.

Example:6c81cd8e-b078-4ac3-a3be-1dad7dbd0b53

Path Parameters

ownerstringrequired
repostringrequired

Response

application/json

Response

refstringrequired

The full Git reference, formatted as refs/heads/<branch name>,
refs/pull/<number>/merge, or refs/pull/<number>/head.

commit_shastringrequired

The SHA of the commit to which the analysis you are uploading relates.

Match pattern:^[0-9a-fA-F]+$

>= 40 characters<= 40 characters

analysis_keystringrequired

Identifies the configuration under which the analysis was executed. For example, in GitHub Actions this includes the workflow filename and job name.

environmentstringrequired

Identifies the variable values associated with the environment in which this analysis was performed.

categorystring

Identifies the configuration under which the analysis was executed. Used to distinguish between multiple analyses for the same tool and commit, but performed on different languages or different parts of the code.

errorstringrequired

Example:error reading field xyz

created_atstring(date-time)requiredread-only

The time that the analysis was created in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

results_countintegerrequired

The total number of results in the analysis.

rules_countintegerrequired

The total number of rules used in the analysis.

idintegerrequired

Unique identifier for this analysis.

urlstring(uri)requiredread-only

The REST API URL of the analysis resource.

sarif_idstringrequired

An identifier for the upload.

Example:6c81cd8e-b078-4ac3-a3be-1dad7dbd0b53

toolobjectrequired
Show Child Parameters
deletablebooleanrequired
warningstringrequired

Warning generated when processing the analysis

Example:123 results were ignored

tool_namestring
get/repos/{owner}/{repo}/code-scanning/analyses
 
application/json

Upload an analysis as SARIF data

Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events write permission to use this endpoint.

There are two places where you can upload code scanning results.

You must compress the SARIF-formatted analysis data that you want to upload, using gzip, and then encode it as a Base64 format string. For example:

gzip -c analysis-data.sarif | base64 -w0

SARIF upload supports a maximum of 1000 results per analysis run. Any results over this limit are ignored. Typically, but not necessarily, a SARIF file contains a single run of a single tool. If a code scanning tool generates too many results, you should update the analysis configuration to run only the most important rules or queries.

The 202 Accepted, response includes an id value.
You can use this ID to check the status of the upload by using this for the /sarifs/{sarif_id} endpoint.
For more information, see “Get information about a SARIF upload.”

post
http://HOSTNAME/api/v3/repos/{owner}/{repo}/code-scanning/sarifs

Path Parameters

ownerstringrequired
repostringrequired

Body

application/json
commit_shastringrequired

The SHA of the commit to which the analysis you are uploading relates.

Match pattern:^[0-9a-fA-F]+$

>= 40 characters<= 40 characters

refstringrequired

The full Git reference, formatted as refs/heads/<branch name>,
refs/pull/<number>/merge, or refs/pull/<number>/head.

sarifstringrequired

A Base64 string representing the SARIF file to upload. You must first compress your SARIF file using gzip and then translate the contents of the file into a Base64 encoding string. For more information, see “SARIF support for code scanning.”

checkout_uristring(uri)

The base directory used in the analysis, as it appears in the SARIF file.
This property is used to convert file paths from absolute to relative, so that alerts can be mapped to their correct location in the repository.

Example:file:///github/workspace/

started_atstring(date-time)

The time that the analysis run began. This is a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

tool_namestring

The name of the tool used to generate the code scanning analysis. If this parameter is not used, the tool name defaults to “API”. If the uploaded SARIF contains a tool GUID, this will be available for filtering using the tool_guid parameter of operations such as GET /repos/{owner}/{repo}/code-scanning/alerts.

Response

application/json

Response

code-scanning-sarifs-receipt

idstring

An identifier for the upload.

Example:6c81cd8e-b078-4ac3-a3be-1dad7dbd0b53

urlstring(uri)read-only

The REST API URL for checking the status of the upload.

post/repos/{owner}/{repo}/code-scanning/sarifs

Body

{ "commit_sha": "commit_sha", "ref": "ref", "sarif": "sarif" }
 
application/json