GitHub Code Scanning
Integrate vet with GitHub Actions and Code Scanning for automated security alerts
GitHub supports uploading SARIF reports to enable repository and organization-wide visibility of security events across different tools. vet
supports exporting policy violation reports as SARIF which can be uploaded to GitHub.
Quick Setup with GitHub Action
vet
has a dedicated GitHub Action for easy integration. This is the recommended approach for most teams.
Basic Configuration
Create .github/workflows/vet.yml
in your repository:
SARIF reports work when you enable GitHub Code Scanning in your repository. Learn more
Advanced Configuration
For more control over the scanning process:
Manual SARIF Generation
You can also generate SARIF reports manually using the vet
CLI:
vet
will only include policy violations in the SARIF report. A policy must be provided using --filter
or --filter-suite
flag during scan.
Viewing Results
Once the SARIF report is uploaded to GitHub, policy violations will be available in the GitHub Security tab. This provides a centralized view of policy violations across different repositories.
Pull Request Integration
The GitHub Action automatically adds comments to pull requests when security issues are found: