Integrating with code scanning
You can integrate third-party code analysis tools with code scanning by uploading data as SARIF files.
Who can use this feature?
Code scanning is available for the following repository types:
- Public repositories on .com
- Organization-owned repositories on Team with Code Security enabled
About integration with code scanning
You can perform code scanning externally and then display the results in , or configure webhooks that listen to code scanning activity in your repository.
Using code scanning with your existing CI system
You can analyze your code with the CodeQL CLI or another tool in a third-party continuous integration system and upload the results to . The resulting code scanning alerts are shown alongside any alerts generated within .
Uploading a SARIF file to
You can upload SARIF files generated outside and see code scanning alerts from third-party tools in your repository.
SARIF support for code scanning
To display results from a third-party static analysis tool in your repository on , you'll need your results stored in a SARIF file that supports a specific subset of the SARIF 2.1.0 JSON schema for code scanning. If you use the default CodeQL static analysis engine, then your results will display in your repository on automatically.