View on GitHub

check-spelling-docs

Documentation for check-spelling

SARIF output

Static Analysis Results Interchange Format (SARIF) is an industry standard enabling tools and development environments to interoperate.

GitHub has SARIF support for code scanning.

When data is published to GitHub in this format, GitHub is supposed to automatically generate shiny annotations.

Sometimes @github-advanced-security will leave a comment on pull requests:

1000002788

Users of Visual Studio Code can install the SARIF Viewer extension to retrieve the reports.

Timeline

Release	Features
v0.0.21	Initial support
v0.0.22	Adjusting sarif.json

Enabling

SARIF support is still very experimental, but the general idea is that you need to give it permissions to write security-events and you need to tell the action to generate them.

Note that you may be able to drop the comment job entirely if you enable SARIF. It's still early, hopefully it'll be clear whether this is in fact correct soon.

jobs:
  spelling:
    permissions:
      # ...
      security-events: write
    # ...
    steps:
    - name: check-spelling
      id: spelling
      uses: check-spelling/check-spelling@main
      with:
        # ...
        use_sarif: 1

Visibility

In general:

Security alerts for a repository are visible to people with write, maintain, or admin access to the repository

See Granting access to security alerts for more information.

This means that if you're a contributor without write access to a repository, you probably won't be able to click the 👼 SARIF report? link.

If you'd like to see a similar report, you should be able to create a pull request in your fork and trigger the same workflow and view the equivalent report there.