👋 🌎 a playground for Code Scanning 🎢
This is a template repo, demonstrating GitHub's Code Scanning capability, using ESLint to generate a "code scanning alert" in GitHub's Security tab:
- The ESLint analysis workflow runs on a schedule, and on every
push - The ESLint output is formatted as SARIF, using the
@microsoft/eslint-formatter-sarifpackage - The SARIF report is submitted to GitHub via the
github/codeql-action/upload-sarifaction
- Register for the code scanning beta here
- Generate a copy of this repo
- Push a commit -- it can even be an empty commit (
git commit --allow-empty) - Observe as a new security alert is generated
- SARIF example output
- SARIF specification
microsoft/sarif-tutorials: User-friendly documentation for the SARIF file format- SARIF Validator: View and validate your SARIF files
Sarif.Multitool: Multi-purpose command line tool for analyzing and manipulating SARIF files- JSON schema for the SARIF specification
ajv-validator/ajv-cli: Command line interface forajv, one of the fastest json schema validators- SARIF support for code scanning
- Example workflow that runs the ESLint analysis tool
- REST API: https://docs.github.com/en/rest/reference/code-scanning
- Demo app for uploading SARIF reports to GitHub via the REST API as a GitHub App: https://github.com/swinton/github-app-upload-sarif