Linking code scanning alerts to GitHub issues

Create or connect GitHub issues to code scanning alerts to track security fixes in your team's workflow.

Who can use this feature?

People with write access for the repository can link code scanning alerts to issues.

In this article

Note

Code scanning alert tracking using GitHub issues is currently in public preview and subject to change.

When code scanning identifies a vulnerability, you can link it to a new or existing GitHub issue. This makes security fixes visible in your planning and project boards alongside your team's regular development work. For more information about how alert tracking works, see Code scanning alert tracking using issues.

Creating an issue from an alert

Create a new issue directly from a code scanning alert, pre-populated with vulnerability details.

  1. On GitHub, navigate to the main page of the repository.
  2. Under the repository name, click the Security and quality tab. If you cannot see the " Security and quality" tab, select the dropdown menu, and then click Security and quality.
  3. In the left sidebar, click Code scanning.
  4. Under "Code scanning," click the alert you'd like to explore to display the detailed alert page.
  5. On the right of the alert page, click Tracking.
  6. From the dropdown list, select Create issue.
    • Select the repository to create the issue in.
    • If applicable, select the template to use for your new issue.
  7. Fill in the issue, providing as much detail as possible.
  8. Optionally, assign the issue to a team member, add labels, or add it to a project.
  9. Click Create.

The newly created issue automatically links to the alert. View it by clicking the issue icon below the alert name.

Linking an alert to an existing issue

Connect an existing issue to a code scanning alert.

  1. On GitHub, navigate to the main page of the repository.
  2. Under the repository name, click the Security and quality tab. If you cannot see the " Security and quality" tab, select the dropdown menu, and then click Security and quality.
  3. In the left sidebar, click Code scanning.
  4. Under "Code scanning," click the alert you'd like to explore to display the detailed alert page.
  5. On the right of the alert page, click Tracking.
  6. From the dropdown list, select Add existing GitHub issue.
  7. Search by issue number or title, or select a different repository by clicking the Back icon.
  8. Click the issue you want to link.

You can link to issues in different repositories, as long as you have access and GitHub Issues is enabled.

Viewing linked issues

Once you link an issue to an alert, you can view the linked issue in two places:

  • On the alert detail page: Click the issue icon below the alert name to navigate to the full issue details.
  • In the list of code scanning alerts: Linked issues appear alongside their corresponding alerts in the main alerts list view.

Changing or unlinking a linked issue

  1. On GitHub, navigate to the main page of the repository.
  2. Under the repository name, click the Security and quality tab. If you cannot see the " Security and quality" tab, select the dropdown menu, and then click Security and quality.
  3. In the left sidebar, click Code scanning.
  4. Under "Code scanning," click the alert you'd like to explore to display the detailed alert page.
  5. On the right of the alert page, click Tracking.
  6. Click Change or remove issue.

When you unlink an issue from an alert, the link is removed from the alert page and alert list. The issue itself remains unchanged.