Domain 4: Configure and use code scanning (15%) โ
โ Domain 3 ยท Next Domain โ
Exam Tip
Know how code scanning integrates with branch protection to block PRs. Also understand SARIF โ it's frequently tested as the way to bring third-party SAST results into GitHub.
What is Code Scanning? โ
Code scanning is a Static Application Security Testing (SAST) feature that analyzes source code to find security vulnerabilities and coding errors.
It integrates natively with GitHub to show vulnerabilities as alerts in the repository and directly in pull requests. Code scanning can be powered by GitHub's CodeQL (covered in Domain 5) or by third-party tools via SARIF.
Code Scanning Alerts โ
Alert Properties โ
Each code scanning alert includes:
- Rule ID (e.g.,
js/sql-injection) - Severity: Critical, High, Medium, Low, Note, Warning
- CWE category (e.g., CWE-89 for SQL Injection)
- Location: File, line number, and code snippet
- Description and recommended remediation
- Path: The data flow from source to sink (for dataflow vulnerabilities)
Alert States โ
| State | Meaning |
|---|---|
| Open | Active vulnerability, needs fix |
| Fixed | Code was changed and re-scan shows no violation |
| Dismissed โ Won't fix | Accepted risk; not going to fix |
| Dismissed โ False positive | Not actually a vulnerability |
| Dismissed โ Used in tests | Only in test code, not production |
Alert Severity and CVSS โ
Code scanning alerts use two severity scales:
- Security Severity (CVSS-based): Critical, High, Medium, Low โ for security vulnerabilities
- Alert Severity: Error, Warning, Note โ for code quality issues
SARIF (Static Analysis Results Interchange Format) โ
SARIF is an open standard (JSON-based) format for representing static analysis results. It allows you to bring results from any SAST tool into GitHub's code scanning interface.
Why SARIF Matters โ
- You can use CodeQL AND third-party tools (Snyk, Checkmarx, SonarCloud, Semgrep, Veracode)
- All results appear in the unified Security โ Code scanning alerts view
- Enables comparison and deduplication across tools
Uploading SARIF Results โ
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: my-tool-name # Distinguishes this tool's resultsWhy the category Field Matters โ
- The
categoryfield identifies a distinct analysis source within code scanning - If you upload results from multiple tools, such as CodeQL and Snyk, they must use different category values
- If two uploads reuse the same category for the same commit/ref, the later upload can overwrite the earlier results
Exam Trap
On multi-tool scanning questions, the correct answer is usually: use a different SARIF category for each tool or analysis variant.
SARIF File Requirements โ
- Must be valid JSON conforming to the SARIF 2.1.0 schema
- Maximum file size: 64MB (uncompressed)
- Results are retained for 90 days
Partial SARIF Success โ
- A SARIF upload can be accepted with warnings if only part of the file is malformed
- In that case, GitHub may still ingest the valid portion but drop some results
- The UI typically surfaces this as a warning rather than a total failure
Exam Trap
If the question describes a SARIF upload that "worked but some findings are missing," think partial parsing success or malformed SARIF sections causing dropped results.
Key Numbers to Remember โ
| Detail | Value |
|---|---|
| Maximum uncompressed SARIF upload size | 64 MB |
| Default retention of code scanning analysis results | 90 days |
Code Scanning in Pull Requests โ
How PR Integration Works โ
- When a PR is opened targeting a protected branch, the code scanning workflow runs
- New alerts introduced by the PR appear as checks on the PR
- If the check fails: the PR is blocked from merging (when branch protection requires it)
- Alerts are displayed inline at the affected line in the PR diff
Configuring Branch Protection for Code Scanning โ
In branch protection rules for main:
- Require status checks to pass before merging
- Add the scanning check:
CodeQL(or your third-party tool's check name) - With this in place, PRs that introduce new code scanning alerts cannot merge
Exam Trap
Code scanning only blocks merges when you configure the check in branch protection rules. Enabling code scanning alone does not block PRs โ you must also configure the branch protection rule to require the check.
Domain 4 Quick Quiz
What is SARIF and when is it used with code scanning?
(Click to reveal)