Code Scanning

In this article

Note: Code scanning for open source repositories and private repositories is currently in beta and subject to change. To sign up, see Advanced Security beta.

The code scanning API lets you retrieve code scanning alerts from a repository. You can use the endpoints to create automated reports for the code scanning alerts in an organization. For more information, see "Finding security vulnerabilities and errors in your code."

List code scanning alerts for a repository

Lists all open code scanning alerts for the default branch (usually master) and protected branches in a repository. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.

get /repos/{owner}/{repo}/code-scanning/alerts

Parameters

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
state string query

Set to closed to list only closed code scanning alerts.

ref string query

Returns a list of code scanning alerts for a specific brach reference. The ref must be formatted as heads/<branch name>.

Code samples

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/alerts
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/alerts', {
  owner: 'octocat',
  repo: 'hello-world'
})

Default response

Status: 200 OK
[
  {
    "rule_id": "js/trivial-conditional",
    "rule_severity": "warning",
    "rule_description": "Useless conditional",
    "tool": "CodeQL",
    "created_at": "2020-05-06T12:00:00Z",
    "open": true,
    "closed_by": null,
    "closed_at": null,
    "url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/25",
    "html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/25"
  },
  {
    "rule_id": "js/useless-expression",
    "rule_severity": "warning",
    "rule_description": "Expression has no effect",
    "tool": "CodeQL",
    "created_at": "2020-05-06T12:00:00Z",
    "open": true,
    "closed_by": null,
    "closed_at": null,
    "url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/88",
    "html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/88"
  }
]

Response if the ref doesn t match an existing ref

Status: 404 Not Found

Notes


Get a code scanning alert

Gets a single code scanning alert. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events read permission to use this endpoint.

The security alert_id is found at the end of the security alert's URL. For example, the security alert ID for https://github.com/Octo-org/octo-repo/security/code-scanning/88 is 88.

get /repos/{owner}/{repo}/code-scanning/alerts/{alert_id}

Parameters

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
alert_id integer path

Code samples

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/alerts/42
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/alerts/{alert_id}', {
  owner: 'octocat',
  repo: 'hello-world',
  alert_id: 42
})

Default response

Status: 200 OK
{
  "rule_id": "js/useless-expression",
  "rule_severity": "warning",
  "rule_description": "Expression has no effect",
  "tool": "CodeQL",
  "created_at": "2020-05-06T12:00:00Z",
  "open": true,
  "closed_by": null,
  "closed_at": null,
  "url": "https://api.github.com/repos/Octo-org/octo-repo/code-scanning/alerts/88",
  "html_url": "https://github.com/Octo-org/octo-repo/security/code-scanning/88"
}

Notes


Ask a human

Can't find what you're looking for?

Contact us