👋 🌎 a playground for Code Scanning 🎢
This is a template repo, demonstrating GitHub's Code Scanning capability, using KICS to generate a "code scanning alert" in GitHub's Security tab:
- The KICS analysis workflow runs on a schedule, and on every
push
- The KICS output is formatted as SARIF, using the
@fjsnogueira/kics-github-action
- The SARIF report is submitted to GitHub via the
github/codeql-action/upload-sarif
action
- Register for the code scanning beta here
- Generate a copy of this repo
- Push a commit -- it can even be an empty commit (
git commit --allow-empty
) - Observe as a new security alert is generated
- SARIF example output
- SARIF specification
microsoft/sarif-tutorials
: User-friendly documentation for the SARIF file format- SARIF Validator: View and validate your SARIF files
Sarif.Multitool
: Multi-purpose command line tool for analyzing and manipulating SARIF files- JSON schema for the SARIF specification
ajv-validator/ajv-cli
: Command line interface forajv
, one of the fastest json schema validators- SARIF support for code scanning
- Example workflow that runs the ESLint analysis tool
- REST API: https://docs.github.com/en/rest/reference/code-scanning
- Demo app for uploading SARIF reports to GitHub via the REST API as a GitHub App: https://github.com/swinton/github-app-upload-sarif