Integration with GitHub Code Scanning?

[leon-vg]

It would be great for this action to integrate with GitHub code scanning automatically. This would mean that the reported findings would be written back to GitHub in SARIF format.

Not sure if this is feasible, but it would be great to get security-related findings in one place, next to the source code.

One example of an action that automatically integrates with code scanning is https://github.com/SonarSource/sonarcloud-github-action. The action automatically reports security-related findings back to GitHub if Advanced Security is enabled. As a user, you do not have to add additional parameters for this feature to work.

[leon-vg]

Another action that may serve as inspiration: https://github.com/aquasecurity/trivy-action. The use-case is roughly the same I guess: scanning container images for vulnerabilities. They output a SARIF file which can be processed by GitHub code scanning.