Code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. Code scanning is powered by GitHub’s [CodeQL](https://securitylab.github.com/tools/codeql) static scanning engine and is extensible to include third-party security tools. Extensibility provides a lot of flexibility and customizability for teams while maintaining the same user experience for developers.

This capability is especially helpful if you:

*   Work at a large organization that’s grown through acquisitions and has teams running different code scanning tools;
*   Need additional coverage for specific areas such as mobile, Salesforce development, or mainframe development;
*   Need customized reporting or dashboarding services;
*   Or simply want to use your preferred tools while benefiting from a single-user experience and single API.

What makes this possible is GitHub code scanning’s API endpoint that can ingest scan results from third-party tools using the open standard Static Analysis Results Interchange Format ([SARIF](https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html)).

Third-party code scanning tools are initiated with a GitHub Action or a GitHub App based on an event in GitHub, like a pull request. The results are formatted as SARIF and uploaded to the GitHub Security Alerts tab. Alerts are then aggregated per tool and GitHub is able to track and suppress duplicate alerts. This allows developers to use their tool of choice for any of their projects on GitHub, all within the native GitHub experience.

To get started, check out the GitHub Actions and Apps available on the [GitHub Marketplace](https://github.com/marketplace/category/security) or navigate to the Security tab in your repository and configure a workflow – you’ll find all these available directly in the GitHub code scanning UI with a pre-configured workflow available!

#partners #product #security #data-analysis