๐๏ธ ๐งช GitHub Code Scanning
GitHub supports uploading SARIF
๐๏ธ ๐ Code Analysis
EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
๐๏ธ ๐ฆ Dependency Inventory
Package managers such as Maven, Gradle etc. has the most accurate view of library dependencies. They can be used to resolve the dependencies, generate an SBOM and scan using vet for better accuracy. In this guide, we will use CycloneDX gradle plugin to generate a software bill of material (SBOM) and scan it using vet.