Github API

Getting access, Developing, Testing

Back to Github

Upload an analysis as SARIF data

Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the security_events scope to use this endpoint for private repositories. You can also use tokens with the public_repo scope for public repositories only. GitHub Apps must have the security_events write permission to use this endpoint.

There are two places where you can upload code scanning results.

You must compress the SARIF-formatted analysis data that you want to upload, using gzip, and then encode it as a Base64 format string. For example:

gzip -c analysis-data.sarif | base64 -w0

SARIF upload supports a maximum number of entries per the following data objects, and an analysis will be rejected if any of these objects is above its maximum value. For some objects, there are additional values over which the entries will be ignored while keeping the most important entries whenever applicable. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration. For example, for the CodeQL tool, identify and remove the most noisy queries.

| SARIF data | Maximum values | Additional limits | |----------------------------------|:------------------:|----------------------------------------------------------------------------------| | Runs per file | 20 | | | Results per run | 25,000 | Only the top 5,000 results will be included, prioritized by severity. | | Rules per run | 25,000 | | | Tool extensions per run | 100 | | | Thread Flow Locations per result | 10,000 | Only the top 1,000 Thread Flow Locations will be included, using prioritization. | | Location per result | 1,000 | Only 100 locations will be included. | | Tags per rule | 20 | Only 10 tags will be included. |

The 202 Accepted response includes an id value. You can use this ID to check the status of the upload by using it in the /sarifs/{sarif_id} endpoint. For more information, see "Get information about a SARIF upload."

Input

type: object properties: parameters: type: object properties: owner: type: string description: The account owner of the repository. The name is not case sensitive. repo: type: string description: The name of the repository. The name is not case sensitive. required: - owner - repo title: Parameters data: type: object properties: commit_sha: description: The SHA of the commit to which the analysis you are uploading relates. type: string minLength: 40 maxLength: 40 pattern: ^[0-9a-fA-F]+$ ref: type: string description: |- The full Git reference, formatted as `refs/heads/<branch name>`, `refs/pull/<number>/merge`, or `refs/pull/<number>/head`. sarif: description: >- A Base64 string representing the SARIF file to upload. You must first compress your SARIF file using [`gzip`](http://www.gnu.org/software/gzip/manual/gzip.html) and then translate the contents of the file into a Base64 encoding string. For more information, see "[SARIF support for code scanning](https://docs.github.com/code-security/secure-coding/sarif-support-for-code-scanning)." type: string checkout_uri: description: >- The base directory used in the analysis, as it appears in the SARIF file. This property is used to convert file paths from absolute to relative, so that alerts can be mapped to their correct location in the repository. example: file:///github/workspace/ type: string format: uri started_at: description: >- The time that the analysis run began. This is a timestamp in [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) format: `YYYY-MM-DDTHH:MM:SSZ`. format: date-time type: string tool_name: description: >- The name of the tool used to generate the code scanning analysis. If this parameter is not used, the tool name defaults to "API". If the uploaded SARIF contains a tool GUID, this will be available for filtering using the `tool_guid` parameter of operations such as `GET /repos/{owner}/{repo}/code-scanning/alerts`. type: string validate: description: >- Whether the SARIF file will be validated according to the code scanning specifications. This parameter is intended to help integrators ensure that the uploaded SARIF files are correctly rendered by code scanning. type: boolean title: Data

Output

type: object properties: id: type: string description: An identifier for the upload. example: 6c81cd8e-b078-4ac3-a3be-1dad7dbd0b53 url: type: string description: The REST API URL for checking the status of the upload. format: uri readOnly: true