Use case

Show findings in GitHub code scanning

Get scanner findings as inline annotations on the PR diff

GateTest emits SARIF, the standard format GitHub code scanning ingests, so every finding appears as an inline annotation on the pull-request diff — tracked across commits and dismissible — instead of buried in CI logs.

The problem

Findings in a CI log are easy to ignore. A wall of text at the bottom of a build that nobody scrolls to isn't a review surface; it's noise. Developers act on what shows up next to the code they're reviewing.

GitHub code scanning solves this by rendering findings inline on the diff — but it needs results in SARIF, the standard interchange format.

How GateTest does it

GateTest produces SARIF as one of its reporter formats. Upload it with the standard `github/codeql-action/upload-sarif` step and GitHub renders each finding inline.

GitHub then tracks findings across commits, de-duplicates them, and lets reviewers dismiss with a reason — turning scanner output into a managed review surface.

upload SARIF to code scanning
- uses: crclabs-hq/gatetest-action@v1
  with:
    suite: full
    sarif-file: gatetest.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: gatetest.sarif

Steps

  1. 1Run GateTest with SARIF output enabled.
  2. 2Upload the SARIF file via github/codeql-action/upload-sarif.
  3. 3Findings appear under the Security tab and inline on the diff.
  4. 4Reviewers dismiss false positives with a tracked reason.

Frequently asked questions

Do I need GitHub Advanced Security for this?

Code scanning via SARIF upload is available on public repositories for free and on private repositories with GitHub Advanced Security. GateTest produces the SARIF; GitHub's availability rules apply to where it's displayed.

What format does GateTest export?

GateTest emits five reporter formats — Console, JSON, HTML, SARIF, and JUnit. SARIF is the one GitHub code scanning ingests for inline annotations.

Put this gate on your repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related use cases