Today, for GitHub repositories, our SAST analysis provides fast, precise security feedback directly inside your pull requests.
You instantly know how many vulnerabilities are detected and, until now, you would systematically go to SonarCloud to start investigating.
From this point forward, developers can review the list of vulnerabilities from GitHub’s interface, thanks to code scanning.
We’re happy to announce that SonarCloud integrates with GitHub code scanning!
It’s available to everyone with a GitHub repository - private or public - independently of your SonarCloud plan.
If you have access to the feature on GitHub and your organization admin already accepted the update for the SonarCloud app permissions, you’re all set!
You should be able to start using the feature during your next code review.
As GitHub describes it, code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.
GitHub code scanning helps you review and prioritize vulnerabilities during your code review process, in your development workflow.
You don’t systematically have to switch context for your reviews anymore. How convenient!
GitHub Code scanning is free for public projects or available as a paid option for your private repos with GitHub's Advanced Security package.
The feature is also available in GitHub Enterprise.
To access the code scanning alerts, you have two options:
- At the repository level, click on the ‘Security’ tab, and ‘View alerts’.
- In your pull request, click on the ‘Checks’ tab, ‘Code scanning results’, and ‘SonarCloud’
With GitHub code scanning alerts, we’re making your code security review easier. From now on, in the event of a failed quality gate for instance, you can easily review the full list of security vulnerabilities in the pull request, and start prioritizing your work in GitHub.
GitHub code scanning, together with SonarCloud analysis, provides everything you need to investigate a vulnerability.
Directly in GitHub, you can learn why you have an issue, where it’s located and how it flows in your code.
To help you with that, you’ll find the full rule description along with a relevant example of a compliant implementation.
More than just a security review, code scanning will also allow you to dismiss vulnerabilities that you think are False Positives, or something you Won’t Fix.
Two clicks are all it takes.
When you do, SonarCloud will automatically be synchronized and your PR decoration refreshed instantly.
In the same way, if you update a vulnerability status in SonarCloud, GitHub code scanning will be updated to reflect the latest changes.
So whatever status update, the two environments will always be aligned.
With GitHub code scanning and SonarCloud static analysis, you have all you need to catch security vulnerabilities before they make their way to production!
For more information, please check our documentation for GitHub code scanning alerts.