Note: Code scanning for open source repositories and private repositories is currently in beta and subject to change. To sign up, see Advanced Security beta.
The code scanning API lets you retrieve code scanning alerts from a repository. You can use the endpoints to create automated reports for the code scanning alerts in an organization. For more information, see "Finding security vulnerabilities and errors in your code."
List code scanning alerts for a repository
Lists all open code scanning alerts for the default branch (usually master) and protected branches in a repository. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.
get /repos/{owner}/{repo}/code-scanning/alertsParameters
| Name | Type | In | Description |
|---|---|---|---|
accept |
string | header |
Setting to |
owner |
string | path | |
repo |
string | path | |
state |
string | query |
Set to |
ref |
string | query |
Returns a list of code scanning alerts for a specific brach reference. The |
Code samples
Shell
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/octocat/hello-world/code-scanning/alerts
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/alerts', {
owner: 'octocat',
repo: 'hello-world'
})
Default response
Status: 200 OK[
{
"rule_id": "js/trivial-conditional",
"rule_severity": "warning",
"rule_description": "Useless conditional",
"tool": "CodeQL",
"created_at": "2020-05-06T12:00:00Z",
"open": true,
"closed_by": null,
"closed_at": null,
"url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/25",
"html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/25"
},
{
"rule_id": "js/useless-expression",
"rule_severity": "warning",
"rule_description": "Expression has no effect",
"tool": "CodeQL",
"created_at": "2020-05-06T12:00:00Z",
"open": true,
"closed_by": null,
"closed_at": null,
"url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/88",
"html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/88"
}
]
Response if the ref doesn t match an existing ref
Status: 404 Not FoundNotes
Get a code scanning alert
Gets a single code scanning alert. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.
The security alert_id is found at the end of the security alert's URL. For example, the security alert ID for https://github.com/Octo-org/octo-repo/security/code-scanning/88 is 88.
get /repos/{owner}/{repo}/code-scanning/alerts/{alert_id}Parameters
| Name | Type | In | Description |
|---|---|---|---|
accept |
string | header |
Setting to |
owner |
string | path | |
repo |
string | path | |
alert_id |
integer | path |
Code samples
Shell
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/octocat/hello-world/code-scanning/alerts/42
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/alerts/{alert_id}', {
owner: 'octocat',
repo: 'hello-world',
alert_id: 42
})
Default response
Status: 200 OK{
"rule_id": "js/useless-expression",
"rule_severity": "warning",
"rule_description": "Expression has no effect",
"tool": "CodeQL",
"created_at": "2020-05-06T12:00:00Z",
"open": true,
"closed_by": null,
"closed_at": null,
"url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/88",
"html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/88"
}