Code scanning flags up potential security vulnerabilities in pull requests — well before code is merged and deployed. Starting today, such alerts will be more visible: they will appear as a review on the pull request Conversation tab. As with any review, developers can then have a conversation about specific areas of the code that was changed.
And of course, from the code review by the GitHub code scanning bot, you can dive deeper into the alert: view the details, check the data flow paths, and dismiss an alert.
Users were already able to configure code scanning as a required check in the branch protection settings in a repository.
With the new code scanning functionality, developers can start a conversation about code scanning alerts. Branch protection rules that require all conversations to be resolved before a PR can be merged apply equally to conversations about code scanning alerts: as soon as a code reviewer comments on a code scanning alert, the PR can not be merged until the conversation is marked as resolved. This helps ensure comments made on alerts are addressed prior to merging.
As you'd expect, when an alert is fixed, the conversation around the alert gets resolved and the PR can be merged.
Learn more about GitHub Advanced Security and code scanning.
You can now sign up to be sponsored via GitHub Sponsors if you have a bank account and tax residence in Brazil. Read about the rollout on our blog and stay tuned for more news on expansion.
As always, you can sponsor projects from wherever GitHub does business and join the Sponsors waitlist if we’re not yet in your region.
Users can now add a comment when dismissing a code scanning alert.
It is optional to provide a dismissal comment. Dismissal comments are recorded in the alert timeline. They can also be set via the code scanning REST API when updating an alert, and retrieved through the new dismissed_comment attribute.
This feature is now available to all users on GitHub.com and will be released in GHES 3.6.