Upload an analysis as SARIF data

POST

/repos/{owner}/{repo}/code-scanning/sarifs

Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the security_events scope to use this endpoint. GitHub Apps must have the security_events write permission to use this endpoint.

There are two places where you can upload code scanning results.

If you upload to a pull request, for example --ref refs/pull/42/merge or --ref refs/pull/42/head, then the results appear as alerts in a pull request check. For more information, see "Triaging code scanning alerts in pull requests."

If you upload to a branch, for example --ref refs/heads/my-branch, then the results appear in the Security tab for your repository. For more information, see "Managing code scanning alerts for your repository."

You must compress the SARIF-formatted analysis data that you want to upload, using gzip, and then encode it as a Base64 format string. For example:

gzip -c analysis-data.sarif | base64 -w0

SARIF upload supports a maximum of 1000 results per analysis run. Any results over this limit are ignored. Typically, but not necessarily, a SARIF file contains a single run of a single tool. If a code scanning tool generates too many results, you should update the analysis configuration to run only the most important rules or queries.

The 202 Accepted, response includes an id value.
You can use this ID to check the status of the upload by using this for the /sarifs/{sarif_id} endpoint.
For more information, see "Get information about a SARIF upload."

请求示例

Shell

JavaScript

Java

Swift

curl --location --request POST 'https://api.github.com/repos///code-scanning/sarifs' \
--header 'Content-Type: application/json' \
--data-raw '{
    "checkout_uri": "file:///github/workspace/",
    "commit_sha": "stringstringstringstringstringstringstri",
    "ref": "string",
    "sarif": "string",
    "started_at": "2019-08-24T14:15:22Z",
    "tool_name": "string"
}'

响应示例

202 - 示例 1

{
    "id": "6c81cd8e-b078-4ac3-a3be-1dad7dbd0b53",
    "url": "http://example.com"
}

请求参数

Authorization

在 Header 添加参数

Authorization

，其值为在 Bearer 之后拼接 Token

示例：

Authorization: Bearer ********************

Path 参数

owner

string

必需

repo

string

必需

Body 参数application/json

checkout_uri

string <uri>

可选

The base directory used in the analysis, as it appears in the SARIF file.
This property is used to convert file paths from absolute to relative, so that alerts can be mapped to their correct location in the repository.

示例值:

file:///github/workspace/

commit_sha

string

必需

The SHA of the commit to which the analysis you are uploading relates.

>= 40 字符<= 40 字符

正则匹配:

^[0-9a-fA-F]+$

ref

string

必需

The full Git reference, formatted as refs/heads/<branch name>,
refs/pull/<number>/merge, or refs/pull/<number>/head.

sarif

string

必需

A Base64 string representing the SARIF file to upload. You must first compress your SARIF file using gzip and then translate the contents of the file into a Base64 encoding string. For more information, see "SARIF support for code scanning."

started_at

string <date-time>

可选

The time that the analysis run began. This is a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

tool_name

string

可选

The name of the tool used to generate the code scanning analysis. If this parameter is not used, the tool name defaults to "API". If the uploaded SARIF contains a tool GUID, this will be available for filtering using the tool_guid parameter of operations such as GET /repos/{owner}/{repo}/code-scanning/alerts.

示例