The GitHub Code Scanning API lets you retrieve and manage code scanning alerts for a repository. Code scanning uses CodeQL or third-party analysis tools to find potential security vulnerabilities and coding errors. The API provides endpoints to list, get, update, and dismiss alerts, as well as manage analyses and upload SARIF results.
openapi: 3.1.0
info:
version: 1.1.4
title: github-repos-api
description: |-
Use the REST API to create, manage and control the workflow of public and
private GitHub repositories.
license:
name: MIT
url: https://spdx.org/licenses/MIT
termsOfService: https://docs.github.com/articles/github-terms-of-service
contact:
name: Support
url: https://support.github.com/contact
servers:
- url: '{protocol}://{hostname}'
variables:
hostname:
description: Self-hosted Enterprise Server hostname
default: api.github.com
protocol:
description: Self-hosted Enterprise Server protocol
default: https
externalDocs:
description: GitHub Enterprise Developer Docs
url: https://docs.github.com/[email protected]/rest/
tags:
- name: About
- name: Alerts
- name: Analysis
- name: Code
- name: Configuration
- name: Data
- name: Delete
- name: Get
- name: Information
- name: Instances
- name: Lists
- name: Repositories
description: Source control repositories.
- name: Scanning
- name: Setup
- name: Static Analysis Results Interchange Format
- name: Update
- name: Upload
paths:
/repos/{owner}/{repo}/code-scanning/alerts:
get:
summary: GitHub List Code Scanning Alerts for Repository
description: |-
Lists code scanning alerts. The response includes a `most_recent_instance` object.
tags:
- Code
- Lists
- Repositories
- Scanning
operationId: listCodeScanningAlertsForRepository
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#list-code-scanning-alerts-for-a-repository
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/tool-name'
- $ref: '#/components/parameters/tool-guid'
- $ref: '#/components/parameters/page'
- $ref: '#/components/parameters/per-page'
- $ref: '#/components/parameters/git-ref'
- $ref: '#/components/parameters/direction'
- name: sort
description: The property by which to sort the results.
in: query
required: false
schema:
type: string
enum:
- created
- updated
default: created
example: created
- name: state
description: |-
If specified, only code scanning alerts with this state will be returned.
in: query
required: false
schema:
$ref: '#/components/schemas/code-scanning-alert-state-query'
example: open
- name: severity
description: |-
If specified, only code scanning alerts with this severity will be returned.
in: query
required: false
schema:
$ref: '#/components/schemas/code-scanning-alert-severity'
example: example_value
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/code-scanning-alert-items'
examples:
default:
$ref: '#/components/examples/code-scanning-alert-items'
'304':
$ref: '#/components/responses/not_modified'
'403':
$ref: '#/components/responses/code_scanning_forbidden_read'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: code-scanning
subcategory: code-scanning
x-api-evangelist-certified: '2025-07-16'
x-api-naftiko-published: '2025-07-25'
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/code-scanning/alerts/{alert_number}:
get:
summary: GitHub Get Code Scanning Alert
description: |-
Gets a single code scanning alert.
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
tags:
- Alerts
- Code
- Get
- Scanning
operationId: getCodeScanningAlert
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#get-a-code-scanning-alert
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/alert-number'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/code-scanning-alert'
examples:
default:
$ref: '#/components/examples/code-scanning-alert'
'304':
$ref: '#/components/responses/not_modified'
'403':
$ref: '#/components/responses/code_scanning_forbidden_read'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
patch:
summary: GitHub Update Code Scanning Alert
description: |-
Updates the status of a single code scanning alert.
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
operationId: updateCodeScanningAlert
tags:
- Alerts
- Code
- Scanning
- Update
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#update-a-code-scanning-alert
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/alert-number'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
state:
$ref: '#/components/schemas/code-scanning-alert-set-state'
dismissed_reason:
$ref: '#/components/schemas/code-scanning-alert-dismissed-reason'
dismissed_comment:
$ref: '#/components/schemas/code-scanning-alert-dismissed-comment'
required:
- state
examples:
default:
value:
state: dismissed
dismissed_reason: false positive
dismissed_comment: |-
This alert is not actually correct, because there's a sanitizer included in the library.
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/code-scanning-alert'
examples:
default:
$ref: '#/components/examples/code-scanning-alert-dismissed'
'403':
$ref: '#/components/responses/code_scanning_forbidden_write'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
enabledForGitHubApps: true
githubCloudOnly: false
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/code-scanning/alerts/{alert_number}/instances:
get:
summary: GitHub List Instances of Code Scanning Alert
description: |-
Lists all instances of the specified code scanning alert.
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
tags:
- Alerts
- Code
- Instances
- Lists
- Scanning
operationId: listInstancesOfCodeScanningAlert
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#list-instances-of-a-code-scanning-alert
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/alert-number'
- $ref: '#/components/parameters/page'
- $ref: '#/components/parameters/per-page'
- $ref: '#/components/parameters/git-ref'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/code-scanning-alert-instance'
examples:
default:
$ref: '#/components/examples/code-scanning-alert-instances'
'403':
$ref: '#/components/responses/code_scanning_forbidden_read'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/code-scanning/analyses:
get:
summary: GitHub List Code Scanning Analyses for Repository
description: |-
Lists the details of all code scanning analyses for a repository,
starting with the most recent.
The response is paginated and you can use the `page` and `per_page` parameters
to list the analyses you're interested in.
By default 30 analyses are listed per page.
The `rules_count` field in the response give the number of rules
that were run in the analysis.
For very old analyses this data is not available,
and `0` is returned in this field.
**Deprecation notice**:
The `tool_name` field is deprecated and will, in future, not be included in the response for this endpoint. The example response reflects this change. The tool name can now be found inside the `tool` field.
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
operationId: listCodeScanningAnalysesForRepository
tags:
- Analysis
- Code
- Lists
- Repositories
- Scanning
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#list-code-scanning-analyses-for-a-repository
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/tool-name'
- $ref: '#/components/parameters/tool-guid'
- $ref: '#/components/parameters/page'
- $ref: '#/components/parameters/per-page'
- name: ref
in: query
description: |-
The Git reference for the analyses you want to list. The `ref` for a branch can be formatted either as `refs/heads/<branch name>` or simply `<branch name>`. To reference a pull request use `refs/pull/<number>/merge`.
required: false
schema:
$ref: '#/components/schemas/code-scanning-ref'
example: main
- name: sarif_id
in: query
description: Filter analyses belonging to the same SARIF upload.
required: false
schema:
$ref: '#/components/schemas/code-scanning-analysis-sarif-id'
example: '12345678'
- $ref: '#/components/parameters/direction'
- name: sort
description: The property by which to sort the results.
in: query
required: false
schema:
type: string
enum:
- created
default: created
example: created
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/code-scanning-analysis'
examples:
default:
$ref: '#/components/examples/code-scanning-analysis-items'
'403':
$ref: '#/components/responses/code_scanning_forbidden_read'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
enabledForGitHubApps: true
githubCloudOnly: false
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/code-scanning/analyses/{analysis_id}:
get:
summary: GitHub Get Code Scanning Analysis for Repository
description: |-
Gets a specified code scanning analysis for a repository.
The default JSON response contains fields that describe the analysis.
This includes the Git reference and commit SHA to which the analysis relates,
the datetime of the analysis, the name of the code scanning tool,
and the number of alerts.
The `rules_count` field in the default response give the number of rules
that were run in the analysis.
For very old analyses this data is not available,
and `0` is returned in this field.
This endpoint supports the following custom media types. For more information, see "[Media types](https://docs.github.com/[email protected]/rest/using-the-rest-api/getting-started-with-the-rest-api#media-types)."
- **`application/sarif+json`**: Instead of returning a summary of the analysis, this endpoint returns a subset of the analysis data that was uploaded. The data is formatted as [SARIF version 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html). It also returns additional data such as the `github/alertNumber` and `github/alertUrl` properties.
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
operationId: getCodeScanningAnalysisForRepository
tags:
- Analysis
- Code
- Get
- Repositories
- Scanning
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#get-a-code-scanning-analysis-for-a-repository
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- name: analysis_id
in: path
description: |-
The ID of the analysis, as returned from the `GET /repos/{owner}/{repo}/code-scanning/analyses` operation.
required: true
schema:
type: integer
example: 42
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/code-scanning-analysis'
examples:
response:
$ref: '#/components/examples/code-scanning-analysis-default'
application/json+sarif:
schema:
type: object
additionalProperties: true
examples:
response:
$ref: '#/components/examples/code-scanning-analysis-sarif'
'403':
$ref: '#/components/responses/code_scanning_forbidden_read'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
enabledForGitHubApps: true
githubCloudOnly: false
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
delete:
summary: GitHub Delete Code Scanning Analysis from Repository
description: |-
Deletes a specified code scanning analysis from a repository.
You can delete one analysis at a time.
To delete a series of analyses, start with the most recent analysis and work backwards.
Conceptually, the process is similar to the undo function in a text editor.
When you list the analyses for a repository,
one or more will be identified as deletable in the response:
```
"deletable": true
```
An analysis is deletable when it's the most recent in a set of analyses.
Typically, a repository will have multiple sets of analyses
for each enabled code scanning tool,
where a set is determined by a unique combination of analysis values:
* `ref`
* `tool`
* `category`
If you attempt to delete an analysis that is not the most recent in a set,
you'll Get 400 response with the message:
```
Analysis specified is not deletable.
```
The response from a successful `DELETE` operation provides you with
two alternative URLs for deleting the next analysis in the set:
`next_analysis_url` and `confirm_delete_url`.
Use the `next_analysis_url` URL if you want to avoid accidentally deleting the final analysis
in a set. This is a useful option if you want to preserve at least one analysis
for the specified tool in your repository.
Use the `confirm_delete_url` URL if you are content to remove all analyses for a tool.
When you delete the last analysis in a set, the value of `next_analysis_url` and `confirm_delete_url`
in the 200 response is `null`.
As an example of the deletion process,
let's imagine that you added a workflow that configured a particular code scanning tool
to analyze the code in a repository. This tool has added 15 analyses:
10 on the default branch, and another 5 on a topic branch.
You therefore have two separate sets of analyses for this tool.
You've now decided that you want to remove all of the analyses for the tool.
To do this you must make 15 separate deletion requests.
To start, you must find an analysis that's identified as deletable.
Each set of analyses always has one that's identified as deletable.
Having found the deletable analysis for one of the two sets,
delete this analysis and then continue deleting the next analysis in the set until they're all deleted.
Then repeat the process for the second set.
The procedure therefore consists of a nested loop:
**Outer loop**:
* List the analyses for the repository, filtered by tool.
* Parse this list to find a deletable analysis. If found:
**Inner loop**:
* Delete the identified analysis.
* Parse the response for the value of `confirm_delete_url` and, if found, use this in the next iteration.
The above process assumes that you want to remove all trace of the tool's analyses from the GitHub user interface, for the specified repository, and it therefore uses the `confirm_delete_url` value. Alternatively, you could use the `next_analysis_url` value, which would leave the last analysis in each set undeleted to avoid removing a tool's analysis entirely.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
operationId: deleteCodeScanningAnalysisFromRepository
tags:
- Analysis
- Code
- Delete
- Repositories
- Scanning
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#delete-a-code-scanning-analysis-from-a-repository
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- name: analysis_id
in: path
description: |-
The ID of the analysis, as returned from the `GET /repos/{owner}/{repo}/code-scanning/analyses` operation.
required: true
schema:
type: integer
example: 42
- name: confirm_delete
in: query
description: |-
Allow deletion if the specified analysis is the last in a set. If you attempt to delete the final analysis in a set without setting this parameter to `true`, you'll Get 400 response with the message: `Analysis is last of its type and deletion may result in the loss of historical alert data. Please specify confirm_delete.`
required: false
schema:
type: string
example: example_value
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/code-scanning-analysis-deletion'
examples:
default-response:
$ref: '#/components/examples/code-scanning-analysis-deletion'
'400':
$ref: '#/components/responses/bad_request'
'403':
$ref: '#/components/responses/code_scanning_forbidden_write'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
enabledForGitHubApps: true
githubCloudOnly: false
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/code-scanning/default-setup:
get:
summary: GitHub Get Code Scanning Default Setup Configuration
description: |-
Gets a code scanning default setup configuration.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
tags:
- Code
- Configuration
- Get
- Scanning
- Setup
operationId: getCodeScanningDefaultSetupConfiguration
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#get-a-code-scanning-default-setup-configuration
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/code-scanning-default-setup'
examples:
default:
$ref: '#/components/examples/code-scanning-default-setup'
'403':
$ref: '#/components/responses/code_scanning_forbidden_read'
'404':
$ref: '#/components/responses/not_found'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
patch:
summary: GitHub Update Code Scanning Default Setup Configuration
description: |-
Updates a code scanning default setup configuration.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint with private or public repositories, or the `public_repo` scope to use this endpoint with only public repositories.
tags:
- Code
- Configuration
- Scanning
- Setup
- Update
operationId: updateCodeScanningDefaultSetupConfiguration
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/code-scanning/code-scanning#update-a-code-scanning-default-setup-configuration
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/code-scanning-default-setup-update'
examples:
default:
$ref: '#/components/examples/code-scanning-default-setup-update'
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/empty-object'
examples:
default:
value: {}
'202':
description: Response
content:
application/json:
schema:
$ref: |-
#/components/schemas/code-scanning-default-setup-update-response
examples:
default:
$ref: |-
#/components/examples/code-scanning-default-setup-update-response
'403':
$ref: '#/components/responses/code_scanning_forbidden_write'
'404':
$ref: '#/components/responses/not_found'
'409':
$ref: '#/components/responses/code_scanning_conflict'
'503':
$ref: '#/components/responses/service_unavailable'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: code-scanning
subcategory: code-scanning
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/code-scanning/sarifs:
post:
summary: GitHub Upload an Analysis as Sarif Data
description: |-
Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. For troubleshooting information, see "[Troubleshooting SARIF uploads](https://docs.github.com/[email protected]/code-security/code-scanning/troubleshooting-sarif)."
There are two places where you can upload code scanning results.
- If you upload to a pull request, for example `--ref refs/pull/42/merge` or `--ref refs/pull/42/head`, then the results appear as alerts in a pull request check. For more information, see "[Triaging code scanning alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
- If you upload to a branch, for example `--ref refs/heads/my-branch`, then the results appear in the **Security** tab for your repository. For more information, see "[Managing code scanning alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."
You must compress the SARIF-formatted analysis data that you want to upload, using `gzip`, and then encode it as a Base64 format string. For example:
```
gzip -c analysis-data.sarif | base64 -w0
```
SARIF upload supports a maximum number of entries per the following data obje
# --- truncated at 32 KB (87 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/github/refs/heads/main/openapi/github-repo-code-scanning-api-openapi.yml