Code Scanning

Note: Code scanning for open source repositories and private repositories is currently in beta and subject to change. To sign up, see Advanced Security beta.

The code scanning API lets you retrieve code scanning alerts from a repository. You can use the endpoints to create automated reports for the code scanning alerts in an organization. For more information, see "Finding security vulnerabilities and errors in your code" in the GitHub Help documentation.

List code scanning alerts for a repository

Lists all open code scanning alerts for the default branch (usually master) and protected branches in a repository. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.

GET /repos/:owner/:repo/code-scanning/alerts

Parameters

Name Type Description
state string Set to closed to list only closed code scanning alerts. Default: open
ref string Returns a list of code scanning alerts for a specific brach reference. The ref must be formatted as heads/<branch name>.

Response

Status: 200 OK
[
  {
    "rule_id": "js/trivial-conditional",
    "rule_severity": "warning",
    "rule_description": "Useless conditional",
    "tool": "CodeQL",
    "created_at": "2020-05-06T12:00:00Z",
    "open": true,
    "closed_by": null,
    "closed_at": null,
    "url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/25",
    "html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/25"
  },
  {
    "rule_id": "js/useless-expression",
    "rule_severity": "warning",
    "rule_description": "Expression has no effect",
    "tool": "CodeQL",
    "created_at": "2020-05-06T12:00:00Z",
    "open": true,
    "closed_by": null,
    "closed_at": null,
    "url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/88",
    "html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/88"
  }
]

Response if the ref doesn't match an existing ref

Status: 404 Not Found

Get a code scanning alert

Gets a single code scanning alert. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.

The security alert_id is found at the end of the security alert's URL. For example, the security alert ID for https://github.com/Octo-org/octo-repo/security/code-scanning/88 is 88.

GET /repos/:owner/:repo/code-scanning/alerts/:alert_id

Response

Status: 200 OK
{
  "rule_id": "js/useless-expression",
  "rule_severity": "warning",
  "rule_description": "Expression has no effect",
  "tool": "CodeQL",
  "created_at": "2020-05-06T12:00:00Z",
  "open": true,
  "closed_by": null,
  "closed_at": null,
  "url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/88",
  "html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/88"
}