Improved code scanning API

The code scanning API allows users to upload data about static analysis security testing results, or export data about alerts. We are releasing updates to the API including:

  • When uploading a SARIF file, the API returns additional status information, including a pointer to the analyses endpoint for that result.
  • When exporting alerts, the API now includes additional metadata to assist in offline analysis including alert's location in the code, title, description, and full help text.
  • The alerts API also supports optionally exporting alerts in the SARIF format to improve interoperability with SARIF enabled workflows.
  • A new instances API which provides information about the instances of an alert across many branches in the GET /code-scanning/alerts/:id/instances API.
  • You can now delete the most_recent analysis using DELETE /code-scanning/analyses/:id. This will also remove any net new alerts which were introduced by that analysis.
  • The tool_name property of GET /code-scanning/analyses has been deprecated. Please use the tools object and its respective properties going forward.
  • The instances property of GET /code-scanning/alerts/:id has been deprecated. Please use the new resource GET /code-scanning/alerts/:id/instances going forward.

For more information, see the code scanning API reference