Send RepoGuard findings to GitHub Code Scanning

Step 1 — Download the SARIF

On any saved scan, click Export SARIF in the top-right header. You get a .sarif.json file ready to upload — one result per finding, severities mapped to SARIF levels (critical/high → error, medium → warning, low → note), test-fixture findings discounted to note.

You can also pull it programmatically:

curl -L "https://repoguard-chi.vercel.app/api/scans/<SCAN_ID>/sarif" \
  -H "Cookie: authjs.session-token=<your-session-cookie>" \
  -o repoguard.sarif.json

Step 2 — Upload to GitHub Code Scanning

The cleanest path is a GitHub Actions job that runs after your normal CI, downloads the SARIF, and hands it to github/codeql-action/upload-sarif:

# .github/workflows/repoguard-sarif.yml
name: RepoGuard → Code Scanning

on:
  workflow_dispatch:
    inputs:
      scan_id:
        description: "RepoGuard scan id"
        required: true

permissions:
  contents: read
  security-events: write   # required to upload SARIF

jobs:
  upload:
    runs-on: ubuntu-latest
    steps:
      - name: Download SARIF from RepoGuard
        run: |
          curl -fL \
            -H "Cookie: authjs.session-token=${{ secrets.REPOGUARD_SESSION }}" \
            "https://repoguard-chi.vercel.app/api/scans/${{ inputs.scan_id }}/sarif" \
            -o repoguard.sarif.json

      - name: Upload to Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: repoguard.sarif.json
          category: repoguard

The session cookie comes from your authenticated browser session with RepoGuard. Long-term we'll ship a proper API token; for now this manual flow is enough to satisfy any team policy that requires findings to live in the GitHub Security tab.

What you get inside Code Scanning

• Each result deep-links back to its rule page on RepoGuard via helpUri, so a triager can read the "what / why / remediation" without leaving the alert.
• Dependency findings dedupe across versions using the GHSA id — upgrading the package closes every linked alert in one shot.
• Test fixtures get downgraded to note level, so a known fixture key never blocks a merge gate.
• Sensitive-file findings ship a file-level location (no line number) — Code Scanning groups them by path.

Zero-auth Code Scanning for public repos

For public repositories you don't need a session cookie at all. The anonymous scan endpoint accepts ?format=sarif and returns SARIF directly — drop this workflow at .github/workflows/repoguard.yml and every push runs a fresh scan that lands in Code Scanning:

# .github/workflows/repoguard.yml
name: RepoGuard → Code Scanning

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Fetch SARIF from RepoGuard
        env:
          OWNER: ${{ github.repository_owner }}
          REPO: ${{ github.event.repository.name }}
        run: |
          curl -fSL -X POST \
            "https://repoguard-chi.vercel.app/api/scan-public/${OWNER}/${REPO}?format=sarif" \
            -o repoguard.sarif.json
      - uses: github/codeql-action/upload-sarif@f411752efdf656cb71aa17b755b22c890960da1d # v3.35.5
        with:
          sarif_file: repoguard.sarif.json
          category: repoguard

Or download the ready-to-use file from /workflows/repoguard.yml. Anonymous scans are rate-limited to 5 per repo per hour and 10 per source IP per hour — generous for normal commit cadence, hard cap on abuse. The workflow inherits these limits.

Browser-only export (no workflow)

Anonymous scans at /scan-public/<owner>/<repo> also expose Export SARIF once the scan finishes. The export is generated in your browser from the in-flight result — no persistence, no account needed. Same SARIF schema, same severity mapping; only the helpUriis omitted (the browser doesn't have access to the catalog resolver).