POST /repos/{owner}/{repo}/code-scanning/sarifs

Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. For troubleshooting information, see "Troubleshooting SARIF uploads."

There are two places where you can upload code scanning results.

If you upload to a pull request, for example --ref refs/pull/42/merge or --ref refs/pull/42/head, then the results appear as alerts in a pull request check. For more information, see "Triaging code scanning alerts in pull requests."
If you upload to a branch, for example --ref refs/heads/my-branch, then the results appear in the Security tab for your repository. For more information, see "Managing code scanning alerts for your repository."

You must compress the SARIF-formatted analysis data that you want to upload, using gzip, and then encode it as a Base64 format string. For example:

gzip -c analysis-data.sarif | base64 -w0

SARIF upload supports a maximum number of entries per the following data objects, and an analysis will be rejected if any of these objects is above its maximum value. For some objects, there are additional values over which the entries will be ignored while keeping the most important entries whenever applicable. To get the most out of your analysis when it includes data above the supported limits, try to optimize the analysis configuration. For example, for the CodeQL tool, identify and remove the most noisy queries. For more information, see "SARIF results exceed one or more limits."

SARIF data	Maximum values	Additional limits
Runs per file	20
Results per run	25,000	Only the top 5,000 results will be included, prioritized by severity.
Rules per run	25,000
Tool extensions per run	100
Thread Flow Locations per result	10,000	Only the top 1,000 Thread Flow Locations will be included, using prioritization.
Location per result	1,000	Only 100 locations will be included.
Tags per rule	20	Only 10 tags will be included.

The 202 Accepted response includes an id value. You can use this ID to check the status of the upload by using it in the /sarifs/{sarif_id} endpoint. For more information, see "Get information about a SARIF upload."

OAuth app tokens and personal access tokens (classic) need the security_events scope to use this endpoint with private or public repositories, or the public_repo scope to use this endpoint with only public repositories.

This endpoint is limited to 1,000 requests per hour for each user or app installation calling it.

Servers

https://api.github.com

Path parameters

Name	Type	Required	Description
`repo`	String	Yes	The name of the repository without the `.git` extension. The name is not case sensitive.
`owner`	String	Yes	The account owner of the repository. The name is not case sensitive.

Request headers

Name	Type	Required	Description
`Content-Type`	String	Yes	The media type of the request body. Default value: "application/json"

Request body fields

Name	Type	Required	Description
`validate`	Boolean	No	Whether the SARIF file will be validated according to the code scanning specifications. This parameter is intended to help integrators ensure that the uploaded SARIF files are correctly rendered by code scanning.
`sarif`	String	Yes	A Base64 string representing the SARIF file to upload. You must first compress your SARIF file using `gzip` and then translate the contents of the file into a Base64 encoding string. For more information, see "SARIF support for code scanning."
`tool_name`	String	No	The name of the tool used to generate the code scanning analysis. If this parameter is not used, the tool name defaults to "API". If the uploaded SARIF contains a tool GUID, this will be available for filtering using the `tool_guid` parameter of operations such as `GET /repos/{owner}/{repo}/code-scanning/alerts`.
`ref`	String	Yes	The full Git reference, formatted as `refs/heads/<branch name>`, `refs/tags/<tag>`, `refs/pull/<number>/merge`, or `refs/pull/<number>/head`.
`checkout_uri`	String	No	The base directory used in the analysis, as it appears in the SARIF file. This property is used to convert file paths from absolute to relative, so that alerts can be mapped to their correct location in the repository.
`started_at`	String	No	The time that the analysis run began. This is a timestamp in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ`.
`commit_sha`	String	Yes	The SHA of the commit to which the analysis you are uploading relates.

How to start integrating

Add HTTP Task to your workflow definition.
Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
Click Test request to test run your request to the API and see the API's response.