GitHub has SARIF support for code scanning.
When data is published to GitHub in this format, GitHub is supposed to automatically generate shiny annotations.
Sarif support is still very experimental, but the general idea is that you need to give it permissions to write security-events and you need to tell the action to generate them.
Note that you may be able to drop the
comment job entirely if you enable sarif. It's still early, hopefully it'll be clear whether this is in fact correct soon.
jobs: spelling: permissions: # ... security-events: write # ... steps: - name: check-spelling id: spelling uses: check-spelling/check-spelling@main with: # ... use_sarif: 1
Security alerts for a repository are visible to people with write, maintain, or admin access to the repository
See Granting access to security alerts for more information.
This means that if you're a contributor without write access to a repository, you probably won't be able to click the 👼 SARIF report? link.
If you'd like to see a similar report, you should be able to create a pull request in your fork and trigger the same workflow and view the equivalent report there.
With v0.0.22, there's the ability to add a
sarif.json file to adjust severities or other fields.
This is experimental (as is SARIF support in general).
☑ Generate Sarif json
☑ Support uploading it using github/codeql-action/upload-sarif@releases/v2
☑ Decide on how to opt-in/opt-out of using this format -- currently
☑ Test in the check-spelling org -- in progress
☑ Trial it in other repositories