GET
GET
PATCH
GET
GET
GET
DELETE
POST
GET
Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the security_events
scope to use this endpoint. GitHub Apps must have the security_events
write permission to use this endpoint.
There are two places where you can upload code scanning results.
--ref refs/pull/42/merge
or --ref refs/pull/42/head
, then the results appear as alerts in a pull request check. For more information, see "Triaging code scanning alerts in pull requests."--ref refs/heads/my-branch
, then the results appear in the Security tab for your repository. For more information, see "Managing code scanning alerts for your repository."You must compress the SARIF-formatted analysis data that you want to upload, using gzip
, and then encode it as a Base64 format string. For example:
gzip -c analysis-data.sarif | base64 -w0
SARIF upload supports a maximum of 5000 results per analysis run. Any results over this limit are ignored and any SARIF uploads with more than 25,000 results are rejected. Typically, but not necessarily, a SARIF file contains a single run of a single tool. If a code scanning tool generates too many results, you should update the analysis configuration to run only the most important rules or queries.
The 202 Accepted
, response includes an id
value.
You can use this ID to check the status of the upload by using this for the /sarifs/{sarif_id}
endpoint.
For more information, see "Get information about a SARIF upload."