Tracking code scanning alerts in issues using task lists

You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.

If you have write permission to a repository you can track 代码扫描 alerts in issues using task lists.

代码扫描 适用于所有公共仓库以及启用了 GitHub Advanced Security 的组织拥有的私有仓库。 更多信息请参阅“关于 GitHub Advanced Security”。

Note: The tracking of 代码扫描 alerts in issues is in beta and subject to change.

This feature supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure, as well as third-party 代码扫描 tools, but not third-party tracking tools.

About tracking 代码扫描 alerts in issues

代码扫描 alerts integrate with task lists in GitHub Issues to make it easy for you to prioritize and track alerts with all your development work. 有关议题的更多信息,请参阅“关于议题”。

To track a code scanning alert in an issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see "About tasks lists."

You can also create a new issue to track an alert:

  • From a 代码扫描 alert, which automatically adds the code scanning alert to a task list in the new issue. For more information, see "Creating a tracking issue from a 代码扫描 alert" below.

  • Via the API as you normally would, and then provide the code scanning link within the body of the issue. You must use the task list syntax to create the tracked relationship:

    • - [ ] <full-URL- to-the-code-scanning-alert>
    • For example, if you add - [ ] https://github.com/octocat-org/octocat-repo/security/code-scanning/17 to an issue, the issue will track the code scanning alert that has an ID number of 17 in the "Security" tab of the octocat-repo repository in the octocat-org organization.

You can use more than one issue to track the same 代码扫描 alert, and issues can belong to different repositories from the repository where the 代码扫描 alert was found.

GitHub provides visual cues in different locations of the user interface to indicate when you are tracking 代码扫描 alerts in issues.

  • The code scanning alerts list page will show which alerts are tracked in issues so that you can view at a glance which alerts still require processing.

    Tracked in pill on code scanning alert page

  • A "tracked in" section will also show in the corresponding alert page.

    Tracked in section on code scanning alert page

  • On the tracking issue, GitHub displays a security badge icon in the task list and on the hovercard.

    Only users with write permissions to the repository will see the unfurled URL to the alert in the issue, as well as the hovercard. For users with read permissions to the repository, or no permissions at all, the alert will appear as a plain URL.

    The color of the icon is grey because an alert has a status of "open" or "closed" on every branch. The issue tracks an alert, so the alert cannot have a single open/closed state in the issue. If the alert is closed on one branch, the icon color will not change.

    Hovercard in tracking issue

The status of the tracked alert won't change if you change the checkbox state of the corresponding task list item (checked/unchecked) in the issue.

Creating a tracking issue from a code scanning alert

  1. 在 GitHub.com 上,导航到仓库的主页面。

  2. 在仓库名称下,单击 Security(安全)Security 选项卡

  3. 在左侧边栏中,单击 Code scanning alerts(代码扫描警报)"Code scanning alerts(代码扫描警报)" 选项卡

  4. 在 "代码扫描" 下,单击要探索的警报。

  5. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. 更多信息请参阅“管理仓库的代码扫描警报”。

  6. Towards the top of the page, on the right side, click Create issue. Create a tracking issue for the code scanning alert GitHub automatically creates an issue to track the alert and adds the alert as a task list item. GitHub prepopulates the issue:

    • The title contains the name of the 代码扫描 alert.
    • The body contains the task list item with the full URL to the 代码扫描 alert.
  7. Optionally, edit the title and the body of the issue.

    Warning: You may want to edit the title of the issue as it may expose security information. You can also edit the body of the issue, but do not edit the task list item or the issue will no longer track the alert.

    New tracking issue for the code scanning alert

  8. Click Submit new issue.

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。