Integrate vet with GitHub Actions and Code Scanning for automated security alerts
GitHub supports uploading SARIF reports to enable repository and organization-wide visibility of security events across different tools. vet
supports exporting policy violation reports as SARIF which can be uploaded to GitHub.
vet
has a dedicated GitHub Action for easy integration. This is the recommended approach for most teams.
Create .github/workflows/vet.yml
in your repository:
SARIF reports work when you enable GitHub Code Scanning in your repository. Learn more
For more control over the scanning process:
You can also generate SARIF reports manually using the vet
CLI:
vet
will only include policy violations in the SARIF report. A policy must be provided using --filter
or --filter-suite
flag during scan.
Once the SARIF report is uploaded to GitHub, policy violations will be available in the GitHub Security tab. This provides a centralized view of policy violations across different repositories.
The GitHub Action automatically adds comments to pull requests when security issues are found:
Policy Configuration
Store your vet policies in version control (e.g., .github/vet/policy.yml
) to ensure consistent security standards across your organization.
Branch Protection
Configure branch protection rules to require the vet check to pass before merging pull requests.
Organization-wide Deployment
Use GitHub organization templates to deploy vet across all repositories automatically.
SARIF Upload Fails
Ensure the security-events: write
permission is set in your workflow file and that Code Scanning is enabled for your repository.
No Violations Reported
Check that your policy configuration is correct and that violations actually exist. Use --report-json
locally to debug.
View the complete documentation and examples
See a complete GitHub Actions workflow example