The code scanning API allows users to upload data about static analysis security testing results, or export data about alerts. We are releasing updates to the API including:

  • When uploading a SARIF file, the API returns additional status information, including a pointer to the analyses endpoint for that result.
  • When exporting alerts, the API now includes additional metadata to assist in offline analysis including alert's location in the code, title, description, and full help text.
  • The alerts API also supports optionally exporting alerts in the SARIF format to improve interoperability with SARIF enabled workflows.
  • A new instances API which provides information about the instances of an alert across many branches in the GET /code-scanning/alerts/:id/instances API.
  • You can now delete the most_recent analysis using DELETE /code-scanning/analyses/:id. This will also remove any net new alerts which were introduced by that analysis.
  • The tool_name property of GET /code-scanning/analyses has been deprecated. Please use the tools object and its respective properties going forward.
  • The instances property of GET /code-scanning/alerts/:id has been deprecated. Please use the new resource GET /code-scanning/alerts/:id/instances going forward.

For more information, see the code scanning API reference