Managing alerts from code scanning

You can view, fix, and close alerts for potential vulnerabilities or errors in your project's code.

People with write permissions to a repository can manage code scanning alerts for the repository.

In this article

Did this doc help you?

Note: Code scanning is currently in beta and subject to change. To request access to the beta, join the waitlist.

About alerts from code scanning

After you enable code scanning, GitHub displays code scanning alerts in your repository. For more information, see "Enabling code scanning for a repository."

Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the severity and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by CodeQL analysis, you will also see information on how to fix the problem.

Example alert from code scanning

If you won't take the action that the alert recommends, you can close the alert manually. For example, you can close an alert for code that's used for testing, or if you believe the alert is a false positive. You might also want to close an alert if the effort of fixing the coding error is greater than the potential benefit of improving the code.

By default, GitHub displays alerts for the default branch and any protected branches. You can sort and filter the list of alerts to see only the alerts you're interested in.

You can see the alerts introduced in a pull request, and take immediate action. When code scanning finds vulnerabilities or errors in a pull request, GitHub displays annotations in the timeline and the diff views of the pull request.

If you enable code scanning using CodeQL, this can also detect data-flow problems in your code. Data-flow analysis finds potential security issues in code, such as: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information.

When code scanning reports data-flow alerts, GitHub shows you how data moves through the code. Code scanning allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users.

You can upload SARIF files generated outside GitHub and see code scanning alerts from third-party tools in your repository. To get started, see "Uploading a SARIF file to GitHub."

If you scan your code using a third-party tool or scan your code with custom CodeQL queries, GitHub will only use the supported SARIF 2.1.0 properties to display alerts. Results from third-party tools or custom queries may not include all of the properties that you see when you scan your code using GitHub's default CodeQL queries. For more information, see "SARIF support for code scanning."

Viewing an alert

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Security.
    Security tab
  3. In the left sidebar, click Code scanning alerts. Optionally, select the code scanning tool you used.
    "Code scanning alerts" tab
  4. Under "Code scanning", click the alert you'd like to view.
    List of alerts from code scanning
  5. Optionally, if the alert highlights a problem with data flow, click Show paths to review the data's path.
    Example data-flow alert

Closing an alert

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Security.
    Security tab
  3. In the left sidebar, click Code scanning alerts. Optionally, select the code scanning tool you used.
    "Code scanning alerts" tab
  4. Under "Code scanning", click the alert you'd like to view.
    List of alerts from code scanning
  5. Use the "Close" drop-down, and click a reason for closing the alert.
    Choosing reason for closing the alert via the "Close" drop-down

Further reading

Did this doc help you?