API List code scanning alerts

[aleks-ivanov]

When I make a request to the GitHub API for the list of code scanning alerts, I get max of 30 results.

Is there a way to increase that number ?

[marcogario]

👋

You should be able to add a page query parameter to your request.

In general, the Code Scanning Alerts endpoint is paginated according to Resources in the REST API - GitHub Docs

Let me know if you have additional questions/feedback!

[aleks-ivanov]

Thank you!

Can I use in the url query any JSON properties of the object that a GET request returns or they should be explicitly specified in the API ?

For example when trying to get a list of code scanning alerts and want to filter only the ones with “state”: “open”, I could do:

“https://api.github.com/repos/$OWNER/$PROJECT_NAME/code-scanning/alerts?state=open”

“state” is an actual property of the returned object, with two possible values “open” and “dismissed”.

There are multiple other properties, which I might use, but am not sure if I can use them.

[marcogario]

Can I use in the url query any JSON properties of the object that a GET request returns or they should be explicitly specified in the API ?

Unfortunately not. Filtering by state and ref should be supported.

We have been working on improvements on the API, and will be releasing some updates in the next few weeks. As far as filtering Alerts goes, we are aiming at supporting filtering by tool. Feel free to share what other fields you’d find useful to filter on.

[aleks-ivanov]

I understand, thank you.

I got one more question, regarding the Code Scanning REST API.

For each alert that is generated, there is a full path to the file the alert originates from. When I access the API, that information is not in there.

Where does it come from and is it accessible by users ?

[bogdanap]

Hi @AleksIvanovSinglet!

I’ve replied to your question on the CodeQL-action issue, but to reiterate, we’re planning quite a few improvements to our API in the near future and adding this information to the responses is just one of them.

And since you’ve been keen on testing the current functionality and came up with good questions for us so far, we were wondering if you’d like early access to these new features?
This would mean you’d get more details about the alerts (and a few new endpoints), but it also comes with the disclaimer that it is still work in progress, so bugs and potentially breaking changes can happen 🙂

[aleks-ivanov]

Hi @bogdanap ,

by pure cosmic chance, I read your replies in the same order you read and replied to mine, so the safety of the contextual timeline was preserved! 😃

I am really excited to hear about the improvements and also would love the opportunity for early access! Thank you!

Would it be possible for the early access to be granted on a GitHub Org level, so my three colleagues and I can play with the new toys, together ? :slight_smile:

[bogdanap]

AleksIvanovSinglet:

I am really excited to hear about the improvements and also would love the opportunity for early access! Thank you!

Yay! We’re glad to hear that! I’ll start the process then, and will come back to you with more details in a bit.

AleksIvanovSinglet:

Would it be possible for the early access to be granted on a GitHub Org level, so my three colleagues and I can play with the new toys, together ? :slight_smile:

I will check just to be 100% sure, but I think we can do that. 👍
Is Pipeline Foundation · GitHub the organization?

[aleks-ivanov]

bogdanap:

Is Pipeline Foundation · GitHub the organization?

Yes :slight_smile: (post must be at least 20 characters)

[bogdanap]

Ok, @AleksIvanovSinglet, I have enabled access to the new API features for all repos on Pipeline Foundation · GitHub and aleks-ivanov (Aleksandar Ivanov) · GitHub.

✨ You should now be able to see more details in the responses to the /alerts, /alerts/:number and /analyses endpoints.
✨ The /analyses and /alerts endpoints support pagination, and filtering by tool
✨ We have added a new /analyses/:id endpoint that allows you to fetch info for a single analysis.
✨ There is also some more functionality around uploading SARIF files, but I’m not sure if that’s something you’d be interested in.

💣 One thing to keep in mind is that we’re planning on removing the instances field from the /alerts/:number response and will be moving that info to a separate endpoint (This is still WIP, but it’s good to be aware of, in case you are using it).

⚠️ It’s also important to note that you are in fact receiving confidential information and are bound by our Terms of Service to maintain this confidentiality: GitHub Terms of Service - GitHub Docs

I think that should be it for now. Let us know if you encounter any issues or have any questions. :grinning_face_with_smiling_eyes:
We’re looking forward to hearing your feedback!

[aleks-ivanov]

@bogdanap that’s awesome! :slight_smile:

We’d be sure to get back to you with feedback!