Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.
Versión del artículo: GitHub.com
Versión del artículo: GitHub.com

Code scanning

En este artículo

¿Te ayudó este documento?

Nota: Escaneo de código se encuentra acutalmente en beta y está sujeto a cambios. To request access to the beta, join the waitlist.

The escaneo de código API lets you retrieve and update code scanning alerts from a repository. You can use the endpoints to create automated reports for the code scanning alerts in an organization or upload analysis results generated using offline code scanning tools. For more information, see "Finding security vulnerabilities and errors in your code."

List code scanning alerts for a repository

Lists all open code scanning alerts for the default branch (usually master) and protected branches in a repository. For private repos, you must use an access token with the repo scope. For public repos, you must use an access token with public_repo and repo:security_events scopes. GitHub Apps must have the security_events read permission to use this endpoint.

get /repos/{owner}/{repo}/code-scanning/alerts

Parámetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
state string query

Set to open, fixed, or dismissed to list code scanning alerts in a specific state.

ref string query

Set a full Git reference to list alerts for a specific branch. The ref must be formatted as refs/heads/<branch name>.

Ejemplos de código

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/alerts
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/alerts', {
  owner: 'octocat',
  repo: 'hello-world'
})

Default response

Status: 200 OK
[
  {
    "number": 4,
    "created_at": "2020-02-13T12:29:18Z",
    "url": "https://api.github.com/repos/github/hello-world/code-scanning/alerts/4",
    "html_url": "https://github.com/github/hello-world/code-scanning/4",
    "state": "open",
    "dismissed_by": null,
    "dismissed_at": null,
    "dismissed_reason": null,
    "rule": {
      "id": "js/zipslip",
      "severity": "error",
      "description": "Arbitrary file write during zip extraction"
    },
    "tool": {
      "name": "CodeQL command-line toolchain",
      "version": null
    }
  },
  {
    "number": 3,
    "created_at": "2020-02-13T12:29:18Z",
    "url": "https://api.github.com/repos/github/hello-world/code-scanning/alerts/3",
    "html_url": "https://github.com/dsp-testing/github/hello-world/code-scanning/3",
    "state": "open",
    "dismissed_by": null,
    "dismissed_at": null,
    "dismissed_reason": null,
    "rule": {
      "id": "js/zipslip",
      "severity": "error",
      "description": "Arbitrary file write during zip extraction"
    },
    "tool": {
      "name": "CodeQL command-line toolchain",
      "version": null
    }
  }
]

Response if the ref doesn t match an existing ref

Status: 404 Not Found

Notes


Get a code scanning alert

Gets a single code scanning alert. For private repos, you must use an access token with the repo scope. For public repos, you must use an access token with public_repo and repo:security_events scopes. GitHub Apps must have the security_events read permission to use this endpoint.

get /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}

Parámetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
alert_number integer path

The code scanning alert number.

Ejemplos de código

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/alerts/42
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}', {
  owner: 'octocat',
  repo: 'hello-world'
})

Default response

Status: 200 OK
{
  "number": 22,
  "created_at": "2020-06-19T11:21:34Z",
  "url": "https://api.github.com/repos/github/hello-world/code-scanning/alerts/22",
  "html_url": "https://github.com/github/hello-world/code-scanning/22",
  "instances": [
    {
      "ref": "refs/heads/codeql-analysis-yml",
      "analysis_key": ".github/workflows/codeql-analysis.yml:CodeQL-Build",
      "environment": {},
      "state": "fixed"
    },
    {
      "ref": "refs/pull/3740/head",
      "analysis_key": ".github/workflows/codeql-analysis.yml:CodeQL-Build",
      "environment": {},
      "state": "fixed"
    }
  ],
  "state": "fixed",
  "dismissed_by": null,
  "dismissed_at": null,
  "dismissed_reason": null,
  "rule": {
    "id": "js/polynomial-redos",
    "severity": "warning",
    "description": "Polynomial regular expression used on uncontrolled data"
  },
  "tool": {
    "name": "CodeQL command-line toolchain",
    "version": null
  }
}

Notes


Update a code scanning alert

Updates the status of a single code scanning alert. For private repos, you must use an access token with the repo scope. For public repos, you must use an access token with public_repo and repo:security_events scopes. GitHub Apps must have the security_events write permission to use this endpoint.

patch /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}

Parámetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
alert_number integer path

The code scanning alert number.

state string body

Required. Sets the state of the code scanning alert. Can be one of open or dismissed. You must provide dismissed_reason when you set the state to dismissed.

dismissed_reason string or null body

Required when the state is dismissed. The reason for dismissing or closing the alert. Can be one of: false positive, won't fix, and used in tests.

Ejemplos de código

Shell
curl \
  -X PATCH \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/alerts/42 \
  -d '{"state":"state"}'
JavaScript (@octokit/core.js)
await octokit.request('PATCH /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}', {
  owner: 'octocat',
  repo: 'hello-world',
  state: 'state'
})

Default response

Status: 200 OK
{
  "number": 22,
  "created_at": "2020-08-25T21:28:36Z",
  "url": "https://api.github.com/repos/github/hello-world/code-scanning/alerts/22",
  "html_url": "https://github.com/github/hello-world/code-scanning/22",
  "instances": [
    {
      "ref": "refs/heads/codeql-analysis-yml",
      "analysis_key": ".github/workflows/codeql-analysis.yml:CodeQL-Build",
      "environment": {},
      "state": "dismissed"
    },
    {
      "ref": "refs/pull/3740/head",
      "analysis_key": ".github/workflows/codeql-analysis.yml:CodeQL-Build",
      "environment": {},
      "state": "dismissed"
    }
  ],
  "state": "dismissed",
  "dismissed_by": {
    "login": "octocat",
    "id": 1,
    "node_id": "MDQ6VXNlcjE=",
    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
    "gravatar_id": "",
    "url": "https://api.github.com/users/octocat",
    "html_url": "https://github.com/octocat",
    "followers_url": "https://api.github.com/users/octocat/followers",
    "following_url": "https://api.github.com/users/octocat/following{/other_user}",
    "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
    "organizations_url": "https://api.github.com/users/octocat/orgs",
    "repos_url": "https://api.github.com/users/octocat/repos",
    "events_url": "https://api.github.com/users/octocat/events{/privacy}",
    "received_events_url": "https://api.github.com/users/octocat/received_events",
    "type": "User",
    "site_admin": false
  },
  "dismissed_at": "2020-09-02T22:34:56Z",
  "dismissed_reason": "false positive",
  "rule": {
    "id": "js/polynomial-redos",
    "severity": "warning",
    "description": "Polynomial regular expression used on uncontrolled data"
  },
  "tool": {
    "name": "CodeQL command-line toolchain",
    "version": null
  }
}

When code scanning isn t available you can try again at a later time

Status: 503 Service Unavailable

Notes


List recent code scanning analyses for a repository

List the details of recent code scanning analyses for a repository. For private repos, you must use an access token with the repo scope. For public repos, you must use an access token with public_repo and repo:security_events scopes. GitHub Apps must have the security_events read permission to use this endpoint.

get /repos/{owner}/{repo}/code-scanning/analyses

Parámetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
ref string query

Set a full Git reference to list alerts for a specific branch. The ref must be formatted as refs/heads/<branch name>.

tool_name string query

Set a single code scanning tool name to filter alerts by tool.

Ejemplos de código

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/analyses
JavaScript (@octokit/core.js)
await octokit.request('GET /repos/{owner}/{repo}/code-scanning/analyses', {
  owner: 'octocat',
  repo: 'hello-world'
})

Default response

Status: 200 OK
[
  {
    "ref": "refs/heads/master",
    "commit_sha": "d99612c3e1f2970085cfbaeadf8f010ef69bad83",
    "analysis_key": ".github/workflows/codeql-analysis.yml:analyze",
    "tool_name": "CodeQL command-line toolchain",
    "environment": "{}",
    "error": "",
    "created_at": "2020-08-27T15:05:21Z"
  },
  {
    "ref": "refs/heads/my-branch",
    "commit_sha": "c8cff6510d4d084fb1b4aa13b64b97ca12b07321",
    "analysis_key": ".github/workflows/shiftleft.yml:build",
    "tool_name": "Python Security Analysis",
    "environment": "{}",
    "error": "",
    "created_at": "2020-08-31T22:46:44Z"
  }
]

Notes


Upload a SARIF file

Upload a SARIF file containing the results of a code scanning analysis to make the results available in a repository. For private repos, you must use an access token with the repo scope. For public repos, you must use an access token with public_repo and repo:security_events scopes. GitHub Apps must have the security_events write permission to use this endpoint.

post /repos/{owner}/{repo}/code-scanning/sarifs

Parámetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended

owner string path
repo string path
commit_sha string body

Required. The commit SHA of the code scanning analysis file.

ref string body

Required. The full Git reference of the code scanning analysis file, formatted as refs/heads/<branch name>.

sarif string body

Required. A Base64 string representing the SARIF file to upload. You must first compress your SARIF file using gzip and then translate the contents of the file into a Base64 encoding string.

checkout_uri string body

The base directory used in the analysis, as it appears in the SARIF file. This property is used to convert file paths from absolute to relative, so that alerts can be mapped to their correct location in the repository.

started_at string body

The time that the analysis run began. This is a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

tool_name string body

Required. The name of the tool used to generate the code scanning analysis alert.

Ejemplos de código

Shell
curl \
  -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/octocat/hello-world/code-scanning/sarifs \
  -d '{"commit_sha":"commit_sha","ref":"ref","sarif":"sarif","tool_name":"tool_name"}'
JavaScript (@octokit/core.js)
await octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
  owner: 'octocat',
  repo: 'hello-world',
  commit_sha: 'commit_sha',
  ref: 'ref',
  sarif: 'sarif',
  tool_name: 'tool_name'
})

Response

Status: 202 Accepted

Response if commit sha or ref cannot be found

Status: 404 Not Found

Notes


¿Te ayudó este documento?