Blog post

GitHub Code Scanning Alerts: Review your security vulnerabilities

Thomas Olivier photo

Thomas Olivier

Product Marketing Manager

Date

  • SonarCloud
Image of GitHub Code Scanning false positives, unit tests and fixes with SonarCloud.

Today, for GitHub repositories, our SAST analysis provides fast, precise security feedback directly inside your pull requests. 


You instantly know how many vulnerabilities are detected and, until now, you would systematically go to SonarCloud to start investigating. 


Not anymore. 


From this point forward, developers can review the list of vulnerabilities from GitHub’s interface, thanks to code scanning.


We’re happy to announce that SonarCloud integrates with GitHub code scanning


It’s available to everyone with a GitHub repository - private or public - independently of your SonarCloud plan. 


If you have access to the feature on GitHub and your organization admin already accepted the update for the SonarCloud app permissions, you’re all set! 


You should be able to start using the feature during your next code review. 

GitHub Code Scanning Introduction


As GitHub describes it, code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.


SonarCloud integration with GitHub code scanning


GitHub code scanning helps you review and prioritize vulnerabilities during your code review process, in your development workflow. 


You don’t systematically have to switch context for your reviews anymore. How convenient!


GitHub Code scanning is free for public projects or available as a paid option for your private repos with GitHub's Advanced Security package.

The feature is also available in GitHub Enterprise.


To access the code scanning alerts, you have two options:

  1. At the repository level, click on the ‘Security’ tab, and ‘View alerts’.
  2. In your pull request, click on the ‘Checks’ tab, ‘Code scanning results’, and ‘SonarCloud’

3 reasons to start using GitHub code scanning with SonarCloud

1. Easy code security review & prioritization


With GitHub code scanning alerts, we’re making your code security review easier. From now on, in the event of a failed quality gate for instance, you can easily review the full list of security vulnerabilities in the pull request, and start prioritizing your work in GitHub.

2. Fast code security vulnerability investigation


GitHub code scanning, together with SonarCloud analysis, provides everything you need to investigate a vulnerability. 


Directly in GitHub, you can learn why you have an issue, where it’s located and how it flows in your code. 


To help you with that, you’ll find the full rule description along with a relevant example of a compliant implementation.


GitHub Repository with Code Scanning for Vulnerabilities.

3. Instant issue status synchronization


More than just a security review, code scanning will also allow you to dismiss vulnerabilities that you think are False Positives, or something you Won’t Fix. 


Two clicks are all it takes. 


When you do, SonarCloud will automatically be synchronized and your PR decoration refreshed instantly. 


In the same way, if you update a vulnerability status in SonarCloud, GitHub code scanning will be updated to reflect the latest changes. 


So whatever status update, the two environments will always be aligned.

Better code scanning security oversight 


Give it a try during your next code review, and share your experience in our community forum


With GitHub code scanning and SonarCloud static analysis, you have all you need to catch security vulnerabilities before they make their way to production! 


For more information, please check our documentation for GitHub code scanning alerts.