<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.9.2">Jekyll</generator><link href="https://partner.github.com/feed.xml" rel="self" type="application/atom+xml" /><link href="https://partner.github.com/" rel="alternate" type="text/html" /><updated>2022-06-09T16:09:23+00:00</updated><id>https://partner.github.com/feed.xml</id><title type="html">GitHub Partner Portal</title><subtitle>GitHub is how people build software. Millions of developers and organizations around
the world use GitHub to discover, share and contribute to projects. Together,
we're defining how software is built today.
</subtitle><entry><title type="html">Getting Started with Ingesting GitHub GHAS Alerts slides</title><link href="https://partner.github.com/integration-resources/2022/05/26/slides-getting-started-guide-for-ingesting-ghas-alerts.html" rel="alternate" type="text/html" title="Getting Started with Ingesting GitHub GHAS Alerts slides" /><published>2022-05-26T00:00:00+00:00</published><updated>2022-05-26T00:00:00+00:00</updated><id>https://partner.github.com/integration-resources/2022/05/26/slides-getting-started-guide-for-ingesting-ghas-alerts</id><content type="html" xml:base="https://partner.github.com/integration-resources/2022/05/26/slides-getting-started-guide-for-ingesting-ghas-alerts.html">&lt;p&gt;These slides provide an overview of how to ingest GitHub Advanced Security alerts into third party solutions.&lt;/p&gt;</content><author><name></name></author><category term="Integration-Resources" /><category term="Integration_Basics" /><category term="GitHub_Apps" /><category term="GHAS" /><category term="Actions" /><summary type="html">These slides provide an overview of how to ingest GitHub Advanced Security alerts into third party solutions.</summary></entry><entry><title type="html">Figma Widget</title><link href="https://partner.github.com/2022/05/12/figma-article.html" rel="alternate" type="text/html" title="Figma Widget" /><published>2022-05-12T15:35:40+00:00</published><updated>2022-05-12T15:35:40+00:00</updated><id>https://partner.github.com/2022/05/12/figma-article</id><content type="html" xml:base="https://partner.github.com/2022/05/12/figma-article.html">&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/54083068/158236141-65111130-2c3a-498f-bc94-72fe2dab5352.png&quot; alt=&quot;112401518-f020e400-8cc7-11eb-8f0c-3440d190acdb&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Go from brainstorming and planning to building with fewer steps in between with the new GitHub widget for FigJam!&lt;/p&gt;

&lt;blockquote class=&quot;twitter-tweet&quot;&gt;&lt;p lang=&quot;en&quot; dir=&quot;ltr&quot;&gt;Go from brainstorming and planning to building with fewer steps in between with the new GitHub widget for FigJam!&lt;a href=&quot;https://t.co/SRiheAuQOU&quot;&gt;https://t.co/SRiheAuQOU&lt;/a&gt; &lt;a href=&quot;https://t.co/D3B1qLg2wH&quot;&gt;pic.twitter.com/D3B1qLg2wH&lt;/a&gt;&lt;/p&gt;&amp;mdash; GitHub (@github) &lt;a href=&quot;https://twitter.com/github/status/1524086915506577408?ref_src=twsrc%5Etfw&quot;&gt;May 10, 2022&lt;/a&gt;&lt;/blockquote&gt;
&lt;script async=&quot;&quot; src=&quot;https://platform.twitter.com/widgets.js&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt;</content><author><name>Parth Dhingreja:Senior Business Development Manager</name></author><summary type="html"></summary></entry><entry><title type="html">Cloud 66</title><link href="https://partner.github.com/2022/05/12/cloud66-article.html" rel="alternate" type="text/html" title="Cloud 66" /><published>2022-05-12T07:04:15+00:00</published><updated>2022-05-12T07:04:15+00:00</updated><id>https://partner.github.com/2022/05/12/cloud66-article</id><content type="html" xml:base="https://partner.github.com/2022/05/12/cloud66-article.html">&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/54083068/158236141-65111130-2c3a-498f-bc94-72fe2dab5352.png&quot; alt=&quot;112401518-f020e400-8cc7-11eb-8f0c-3440d190acdb&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Cloud66’s new GitHub App: Deploy your code, directly from the repository to your own servers on any cloud.&lt;/p&gt;

&lt;blockquote class=&quot;twitter-tweet&quot;&gt;&lt;p lang=&quot;en&quot; dir=&quot;ltr&quot;&gt;🥁 Cloud 66 is available on GitHub Marketplace. Now you can deploy your code, directly from the repository to your own servers on any cloud. &lt;a href=&quot;https://twitter.com/GitHubEnt?ref_src=twsrc%5Etfw&quot;&gt;@GitHubEnt&lt;/a&gt; &lt;a href=&quot;https://twitter.com/github?ref_src=twsrc%5Etfw&quot;&gt;@GitHub&lt;/a&gt; &lt;a href=&quot;https://t.co/nFTfeEI47K&quot;&gt;https://t.co/nFTfeEI47K&lt;/a&gt; &lt;a href=&quot;https://t.co/i97OYG6PXY&quot;&gt;pic.twitter.com/i97OYG6PXY&lt;/a&gt;&lt;/p&gt;&amp;mdash; Cloud 66 (@cloud66) &lt;a href=&quot;https://twitter.com/cloud66/status/1524209941191483393?ref_src=twsrc%5Etfw&quot;&gt;May 11, 2022&lt;/a&gt;&lt;/blockquote&gt;
&lt;script async=&quot;&quot; src=&quot;https://platform.twitter.com/widgets.js&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt;</content><author><name>Parth Dhingreja:Senior Business Development Manager</name></author><summary type="html"></summary></entry><entry><title type="html">GitHub Partner Program Newsletter – Apr 2022</title><link href="https://partner.github.com/2022/04/25/april-2022-newsletter.html" rel="alternate" type="text/html" title="GitHub Partner Program Newsletter – Apr 2022" /><published>2022-04-25T17:36:46+00:00</published><updated>2022-04-25T17:36:46+00:00</updated><id>https://partner.github.com/2022/04/25/april-2022-newsletter</id><content type="html" xml:base="https://partner.github.com/2022/04/25/april-2022-newsletter.html">&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/16566705/112401416-bbad2800-8cc7-11eb-88f9-c66a868a0906.png&quot; alt=&quot;partner program image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;If you want to receive emails when we have future Newsletters, sign up: &lt;a href=&quot;https://partner.github.com/apply&quot;&gt;GitHub Technology Partner Program&lt;/a&gt;&lt;/p&gt;

&lt;h2 id=&quot;so-whats-new&quot;&gt;So what’s new?&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;[GitHub Beta Feature Opportunity]: API Versioning Private Beta&lt;/strong&gt;
The current version of GitHub’s REST API is v3 and has been for &lt;a href=&quot;https://github.blog/2011-06-20-api-v3-190-methods-to-build-on/&quot;&gt;over 10 years&lt;/a&gt;. Moving forward, we want to introduce a new versioning approach to the REST API that uses the YYYY-MM-DD API version-naming scheme and which indicates the date the API version was released. We’re looking to collect feedback until the end of May 2022. By providing your opinion, you will be able to help influence the direction of API versioning at its earliest stages.&lt;/p&gt;

&lt;p&gt;Email us at &lt;a href=&quot;mailto:partnerships@github.com&quot;&gt;partnerships@github.com&lt;/a&gt; with the subject line “API Versioning Beta: [Your Company Name]”  if you would like to provide feedback on API versioning&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;New GitHub Issue closed reasons&lt;/strong&gt;
Last year we introduced updates to our &lt;a href=&quot;https://github.blog/changelog/2021-10-26-updates-to-our-issue-status-icons-and-colors/&quot;&gt;issue icons and colors&lt;/a&gt; along with the commitment to address your feedback on showing the reason why an issue had been closed. Today we are starting to roll out a preview of issue closed reasons to a small group of users. Your repository should have been feature flagged in, let us know if you have any questions!&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/16566705/160642974-f06e5c6d-ac94-4ddd-a242-7d8f4887fd80.png&quot; alt=&quot;image&quot; /&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;GHES Storage Partners&lt;/strong&gt; 
Partners in the GitHub Technology Partnership Program have the opportunity to self-validate their storage solutions with GHES. &lt;a href=&quot;https://github.com/github-technology-partners/ghes-storage-partners&quot;&gt;More information on the how to get listed and details here&lt;/a&gt;, or email us at partnerships@github.com&lt;/p&gt;

&lt;h2 id=&quot;reminders&quot;&gt;Reminders&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Co-market with GitHub!&lt;/strong&gt;
If you created a &lt;strong&gt;brand new&lt;/strong&gt; GitHub Action or App and post it in the GitHub marketplace, we’d be happy to assist with amplifying your announcement. &lt;a href=&quot;https://partner.github.com/go-to-market/2020/11/25/co-marketing-with-github.html&quot;&gt;More info on our co-marketing guidelines here&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Secure your API tokens by joining the GitHub secret scanning program&lt;/strong&gt;
We’re continuing to expand our &lt;a href=&quot;https://docs.github.com/en/developers/overview/secret-scanning&quot;&gt;secret scanning program&lt;/a&gt;. If your service issues API keys or other secrets end up committed in code, we can help you detect them if/when they’re ever leaked on GitHub. For example, via the secret scanning program we notify AWS when their credentials are found in public repos, allowing them to &lt;a href=&quot;https://medium.com/swlh/aws-access-keys-leak-in-github-repository-and-some-improvements-in-amazon-reaction-cc2e20e89003&quot;&gt;automatically protect their users&lt;/a&gt;.
&lt;a href=&quot;https://docs.github.com/en/developers/overview/secret-scanning&quot;&gt;[Find out more about secret scanning]&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;If you need to update your Marketplace logo&lt;/strong&gt;
We’ve been getting some questions around how to update your Marketplace action or app logo. Please look at our guide with the necessary logo requirements.
&lt;a href=&quot;https://partner.github.com/go-to-market/2020/11/25/co-marketing-with-github.html&quot;&gt;Co-marketing guide&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Verified apps on the Marketplace are being updated to ‘verified creator’&lt;/strong&gt;
Learn about the badges that you may see for some apps and actions listings on GitHub Marketplace, and how you can get yours!
&lt;a href=&quot;https://docs.github.com/en/developers/github-marketplace/about-marketplace-badges&quot;&gt;[Marketplace badges]&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Partner-owned documentation to docs.github.com&lt;/strong&gt;
A paved path now exists for our partners to contribute and maintain documentation on docs.github.com. This provides an opportunity for our partners to describe how their tools work with GitHub.
&lt;a href=&quot;https://github.com/github/docs/issues/new?template=partner-contributed-documentation.md&quot;&gt;[Open an issue using the appropriate template]&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Integrating with code scanning&lt;/strong&gt;
A new pattern guide on how to integrate with code scanning is now available on our Partner Resources tab, applicable to all partners with a SAST offering. If your team has a static analysis tool, we built a new pattern guide on how to integrate with code scanning. It shows you how you can surface security vulnerabilities directly in the GitHub UI before developers deploy to production.
&lt;a href=&quot;https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning.html&quot;&gt;[Our new guide]&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Join our Technology Partner Program&lt;/strong&gt;
Get access to GitHub Enterprise Server developer licenses, a plethora of integration resources and guides, invites to private partner events, discounts on Event Sponsorships (GitHub Universe is coming up!), comarketing opportunities, and more. Our program has no cost. 
&lt;a href=&quot;https://partner.github.com/apply?partnershipType=Technology%20Partner&quot;&gt;[Apply today]&lt;/a&gt;&lt;/p&gt;

&lt;h2 id=&quot;you-know-where-to-reach-us&quot;&gt;You know where to reach us&lt;/h2&gt;

&lt;p&gt;As always, feel free to reach out to us for questions at partnerships@github.com or support.github.com&lt;/p&gt;

&lt;p&gt;Happy coding!&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/16566705/112401428-c071dc00-8cc7-11eb-927c-47045ae16cc3.png&quot; alt=&quot;partner program newsetter image 2&quot; /&gt;&lt;/p&gt;</content><author><name>Parth Dhingreja:Senior Business Development Manager</name></author><summary type="html"></summary></entry><entry><title type="html">Eversql GitHub Action to optimize SQL queries automatically</title><link href="https://partner.github.com/2022/04/21/eversql-article.html" rel="alternate" type="text/html" title="Eversql GitHub Action to optimize SQL queries automatically" /><published>2022-04-21T00:00:00+00:00</published><updated>2022-04-21T00:00:00+00:00</updated><id>https://partner.github.com/2022/04/21/eversql-article</id><content type="html" xml:base="https://partner.github.com/2022/04/21/eversql-article.html">&lt;blockquote class=&quot;twitter-tweet&quot;&gt;&lt;p lang=&quot;en&quot; dir=&quot;ltr&quot;&gt;Using &lt;a href=&quot;https://twitter.com/github?ref_src=twsrc%5Etfw&quot;&gt;@GitHub&lt;/a&gt; Actions? You can now optimize SQL queries automatically with &lt;a href=&quot;https://twitter.com/EverSQL?ref_src=twsrc%5Etfw&quot;&gt;@EverSQL&lt;/a&gt;, boosting your CI/CD and making your code faster 🚀 &lt;a href=&quot;https://t.co/CAQ5lmUukU&quot;&gt;https://t.co/CAQ5lmUukU&lt;/a&gt;&lt;/p&gt;&amp;mdash; EverSQL (@EverSQL) &lt;a href=&quot;https://twitter.com/EverSQL/status/1516764269353877509?ref_src=twsrc%5Etfw&quot;&gt;April 20, 2022&lt;/a&gt;&lt;/blockquote&gt;
&lt;script async=&quot;&quot; src=&quot;https://platform.twitter.com/widgets.js&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt;</content><author><name>Parth Dhingreja:Senior Business Development Manager</name></author><summary type="html">Using @GitHub Actions? You can now optimize SQL queries automatically with @EverSQL, boosting your CI/CD and making your code faster 🚀 https://t.co/CAQ5lmUukU&amp;mdash; EverSQL (@EverSQL) April 20, 2022</summary></entry><entry><title type="html">Automating SLO-as-code with GitHub Actions and Nobl9</title><link href="https://partner.github.com/2022/04/21/nobl9-article.html" rel="alternate" type="text/html" title="Automating SLO-as-code with GitHub Actions and Nobl9" /><published>2022-04-21T00:00:00+00:00</published><updated>2022-04-21T00:00:00+00:00</updated><id>https://partner.github.com/2022/04/21/nobl9-article</id><content type="html" xml:base="https://partner.github.com/2022/04/21/nobl9-article.html">&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/54083068/158236141-65111130-2c3a-498f-bc94-72fe2dab5352.png&quot; alt=&quot;112401518-f020e400-8cc7-11eb-8f0c-3440d190acdb&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Nobl9’s new GitHub Action: customers will be able to leverage the GitHub Action to ensure their SLOs are updated in Nobl9 whenever they make changes to their SLO definitions in source code.&lt;/p&gt;

&lt;blockquote class=&quot;twitter-tweet&quot;&gt;&lt;p lang=&quot;en&quot; dir=&quot;ltr&quot;&gt;Customers can now update their SLO configurations in Nobl9 with &lt;a href=&quot;https://twitter.com/github?ref_src=twsrc%5Etfw&quot;&gt;@GitHub&lt;/a&gt; Actions. Learn more about our integration with &lt;a href=&quot;https://twitter.com/GitHubEnt?ref_src=twsrc%5Etfw&quot;&gt;@GitHubEnt&lt;/a&gt;: &lt;a href=&quot;https://t.co/Or77bNvY7z&quot;&gt;https://t.co/Or77bNvY7z&lt;/a&gt;&lt;a href=&quot;https://twitter.com/hashtag/SLO?src=hash&amp;amp;ref_src=twsrc%5Etfw&quot;&gt;#SLO&lt;/a&gt; &lt;a href=&quot;https://twitter.com/hashtag/GitHub?src=hash&amp;amp;ref_src=twsrc%5Etfw&quot;&gt;#GitHub&lt;/a&gt;&lt;/p&gt;&amp;mdash; Nobl9 (@nobl9inc) &lt;a href=&quot;https://twitter.com/nobl9inc/status/1514658858068844552?ref_src=twsrc%5Etfw&quot;&gt;April 14, 2022&lt;/a&gt;&lt;/blockquote&gt;
&lt;script async=&quot;&quot; src=&quot;https://platform.twitter.com/widgets.js&quot; charset=&quot;utf-8&quot;&gt;&lt;/script&gt;</content><author><name>Parth Dhingreja:Senior Business Development Manager</name></author><summary type="html"></summary></entry><entry><title type="html">Perforce launches new GitHub Actions to help game developers</title><link href="https://partner.github.com/2022/03/23/perforce_launches_actions.html" rel="alternate" type="text/html" title="Perforce launches new GitHub Actions to help game developers" /><published>2022-03-23T00:00:00+00:00</published><updated>2022-03-23T00:00:00+00:00</updated><id>https://partner.github.com/2022/03/23/perforce_launches_actions</id><content type="html" xml:base="https://partner.github.com/2022/03/23/perforce_launches_actions.html">&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/54083068/158236141-65111130-2c3a-498f-bc94-72fe2dab5352.png&quot; alt=&quot;112401518-f020e400-8cc7-11eb-8f0c-3440d190acdb&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Today, Perforce has launched a new GitHub Action in the &lt;a href=&quot;https://github.com/marketplace/actions/perforce-helix-core-actions&quot;&gt;GitHub marketplace&lt;/a&gt; that will help game developers integrate their Helix Core environment with GitHub. The new action will enable  developers building game pipelines on Helix Core to trigger GitHub Actions.&lt;/p&gt;

&lt;p&gt;Game studios using both GitHub and Perforce have built custom complex pipelines to keep their code and assets in sync. This first party integration facilitates the use of GitHub Actions as an orchestrator for code and assets stored in Helix Core.&lt;/p&gt;

&lt;p&gt;This work is an important piece to the strategic partnership that was announced today with &lt;a href=&quot;https://developer.microsoft.com/games/blog/microsoft-perforce-reimagining-game-production/&quot;&gt;Microsoft and Perforce to make it easier to extend game production into the cloud for game creators of all sizes.&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Learn more about the work that &lt;a href=&quot;https://www.perforce.com/blog/vcs/perforce-github-helix-core-actions&quot;&gt;Perforce has created&lt;/a&gt; and go over to &lt;a href=&quot;https://github.com/perforce/setup-p4/discussions&quot;&gt;Discussions &lt;/a&gt; to participate.&lt;/p&gt;</content><author><name>Rick Duong:Business Development Manager,Abir Majumdar:Partner Engineer</name></author><summary type="html"></summary></entry><entry><title type="html">Welcome to our new Technology Partner Resources Page</title><link href="https://partner.github.com/2022/03/15/welcome.html" rel="alternate" type="text/html" title="Welcome to our new Technology Partner Resources Page" /><published>2022-03-15T08:00:52+00:00</published><updated>2022-03-15T08:00:52+00:00</updated><id>https://partner.github.com/2022/03/15/welcome</id><content type="html" xml:base="https://partner.github.com/2022/03/15/welcome.html">&lt;h2 id=&quot;welcome&quot;&gt;Welcome!&lt;/h2&gt;

&lt;p&gt;We’re happy to announce that we have launched our new Technology Partner Resources Page! 🎉  The Partner Hub provides access to all the resources you need so that we can work together to create incredible experiences for our shared customers.&lt;/p&gt;

&lt;p&gt;As a first step, evaluate which GitHub Partner Program to join. The &lt;strong&gt;Technology Partner program&lt;/strong&gt; is for ISVs, integrators, and cloud service providers that want to extend the GitHub platform and co-market with us, while the &lt;strong&gt;Service and Channel Partner Program&lt;/strong&gt; is for service-oriented and resell partners that want to deliver services to our joint customers and co-sell with us.&lt;/p&gt;

&lt;h3 id=&quot;partner-program-requirements&quot;&gt;Partner Program Requirements&lt;/h3&gt;

&lt;ul&gt;
  &lt;li&gt;For the Technology Partner Program, see the Program Requirements section on the &lt;a href=&quot;https://partner.github.com/technology-partners&quot;&gt;Technology Partners&lt;/a&gt; tab.&lt;/li&gt;
  &lt;li&gt;For the Channel Partner Program, see our &lt;a href=&quot;https://partner.github.com/go-to-market/2020/11/25/GitHub-Services-&amp;amp;-Channel-Partners-Handbook.html&quot;&gt;Services &amp;amp; Channel Partners Handbook&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;where-to-get-started&quot;&gt;Where to get started&lt;/h3&gt;

&lt;p&gt;Get started by browsing through the below articles:&lt;/p&gt;

&lt;h4 id=&quot;technology-partners&quot;&gt;Technology Partners&lt;/h4&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://partner.github.com/integration-resources/2020/11/05/slides-platform-integration-101.html&quot;&gt;Platform integration 101 slides&lt;/a&gt; - Overview of how to build technical integrations with GitHub&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://partner.github.com/integration-resources/2020/11/10/learn-github-actions.html&quot;&gt;Learn GitHub Actions&lt;/a&gt; - Guide to help you use GitHub Actions to accelerate application development workflows&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://partner.github.com/integration-resources/2020/11/10/github-apps-101.html&quot;&gt;GitHub Apps 101 slides&lt;/a&gt; - Introduction to GitHub Apps&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://partner.github.com/go-to-market/2020/11/25/co-marketing-with-github.html&quot;&gt;GitHub Technology Partner Program: Co-marketing with GitHub&lt;/a&gt; - When you’re close to launching an integration in our Marketplace, we can help you co-market!&lt;/li&gt;
&lt;/ul&gt;

&lt;h4 id=&quot;services--channel-partners&quot;&gt;Services &amp;amp; Channel Partners&lt;/h4&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://partner.github.com/go-to-market/2020/11/25/GitHub-Services-&amp;amp;-Channel-Partners-Handbook.html&quot;&gt;GitHub Services &amp;amp; Channel Partners Handbook&lt;/a&gt; - Accelerate your business and help your customers reach their full DevOps potential&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://partner.github.com/go-to-market/2020/11/25/Github-Partner-Value-Proposition.html&quot;&gt;GitHub Channel Partner Value Proposition&lt;/a&gt; - Market opportunities, partner growth insights, and GitHub orientated offerings for partners&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;partner-hub-updates&quot;&gt;Partner Hub Updates&lt;/h3&gt;

&lt;p&gt;Check out our new Resources and Newsfeed sections:&lt;/p&gt;

&lt;h4 id=&quot;resources&quot;&gt;Resources&lt;/h4&gt;

&lt;p&gt;The &lt;a href=&quot;https://partner.github.com/resources&quot;&gt;Resources&lt;/a&gt; section contains info on topics such as integration and go-to-market.
&lt;img src=&quot;https://user-images.githubusercontent.com/2547497/101198609-90b79f00-3618-11eb-907b-cd35d7a9dec1.png&quot; alt=&quot;image&quot; /&gt;&lt;/p&gt;

&lt;h4 id=&quot;newsfeed&quot;&gt;Newsfeed&lt;/h4&gt;

&lt;p&gt;We will continuously update the &lt;a href=&quot;https://partner.github.com/newsfeed&quot;&gt;Newsfeed&lt;/a&gt; with key information such as partner-related product updates, events, and more.  Stay tuned for our quarterly newsletter with all of our ecosystem updates.&lt;/p&gt;</content><author><name>Parth Dhingreja:Business Development Manager</name></author><summary type="html">Welcome!</summary></entry><entry><title type="html">Releasing and maintaining actions</title><link href="https://partner.github.com/integration-resources/2021/03/19/pattern-releasing-and-maintaining-actions.html" rel="alternate" type="text/html" title="Releasing and maintaining actions" /><published>2021-03-19T00:00:00+00:00</published><updated>2021-03-19T00:00:00+00:00</updated><id>https://partner.github.com/integration-resources/2021/03/19/pattern-releasing-and-maintaining-actions</id><content type="html" xml:base="https://partner.github.com/integration-resources/2021/03/19/pattern-releasing-and-maintaining-actions.html">&lt;h3 id=&quot;problem-statement&quot;&gt;Problem statement&lt;/h3&gt;

&lt;p&gt;So you have &lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action&quot;&gt;created an action&lt;/a&gt;…now what? This pattern guide shows a minimal solution to releasing and maintaining actions in open source, favoring automation whenever possible, providing value while keeping overhead at a minimum.&lt;/p&gt;

&lt;p&gt;The solution should:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;
    &lt;p&gt;Leverage GitHub Actions for continuous integration, dependency updates, release management, and task automation.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Promote discoverability with regular publishing to GitHub Marketplace.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Provide confidence through automated tests and build badges.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Indicate how the action can be used, ideally as part of a broader workflow.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Signal what type of community contributions you welcome, e.g. issues, pull requests, or vulnerability reports.&lt;/p&gt;
  &lt;/li&gt;
&lt;/ol&gt;

&lt;h3 id=&quot;solution&quot;&gt;Solution&lt;/h3&gt;

&lt;p&gt;We recommend that &lt;a href=&quot;https://partner.github.com/technology-partners&quot;&gt;Technology Partners&lt;/a&gt; build actions with &lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/about-actions#types-of-actions&quot;&gt;JavaScript instead of in containers&lt;/a&gt; for speed and cross-platform functionality, so this guide will focus on JavaScript actions.&lt;/p&gt;

&lt;p&gt;Though they are “just” Node.js repositories with metadata in an &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;action.yml&lt;/code&gt; file, JavaScript actions have a few interesting properties compared to traditional Node.js projects:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;
    &lt;p&gt;Dependent packages are committed alongside the code, typically in a compiled and minified form, so &lt;strong&gt;automated builds&lt;/strong&gt; and &lt;strong&gt;secure community contributions&lt;/strong&gt; are important.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Tagged releases can be published directly to GitHub Marketplace and consumed by workflows across GitHub, making sensible &lt;strong&gt;releasing and tagging&lt;/strong&gt; of special interest.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Many actions make use of the GitHub API &lt;em&gt;and&lt;/em&gt; third party APIs, so we encourage &lt;strong&gt;robust end-to-end testing&lt;/strong&gt;.&lt;/p&gt;
  &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We base a solution on &lt;a href=&quot;https://github.com/actions/javascript-action&quot;&gt;actions/javascript-action&lt;/a&gt;, putting special focus on solving the problem areas identified above. We use GitHub Actions to automate releasing the action and publishing to GitHub Marketplace, and open source best practices to increase confidence and usage.&lt;/p&gt;

&lt;h3 id=&quot;implementation&quot;&gt;Implementation&lt;/h3&gt;

&lt;h4 id=&quot;automate-release-management&quot;&gt;Automate release management&lt;/h4&gt;

&lt;p&gt;GitHub &lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/about-actions#using-release-management-for-actions&quot;&gt;recommends&lt;/a&gt; creating releases using &lt;a href=&quot;https://docs.npmjs.com/about-semantic-versioning&quot;&gt;semantically versioned&lt;/a&gt; tags – for example, &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;v1.1.3&lt;/code&gt; – and keeping major (&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;v1&lt;/code&gt;) and minor (&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;v1.1&lt;/code&gt;) tags current to the latest appropriate commit. When a release is created, it can be &lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace&quot;&gt;published to GitHub Marketplace&lt;/a&gt; for increased discoverability.&lt;/p&gt;

&lt;div class=&quot;language-text highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;^
|
|
| * commit 9a4eb0d (tag: v1, tag: v1.1, tag: v1.1.0)
|/  Author: Octocat &amp;lt;octocat@github.com&amp;gt;
|
|      New features!
|
|  
| * commit ac2415 (tag: v1.0, tag: v1.0.3)
|/  Author: Octocat &amp;lt;octocat@github.com&amp;gt;
|
|       Initial release
|
*
|
main
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;We let GitHub Actions do the automation for us to enable this workflow:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Do feature work in branches per &lt;a href=&quot;https://guides.github.com/introduction/flow/&quot;&gt;GitHub flow&lt;/a&gt;.&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
  &lt;li&gt;When a feature branch commit is pushed, GitHub Actions runs a &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;test&lt;/code&gt; workflow from which you can call unit and integration tests.&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
  &lt;li&gt;Create pull requests to the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;main&lt;/code&gt; branch to initiate discussion and review, merging when ready.&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
  &lt;li&gt;
    &lt;p&gt;When a pull request is opened, either from a branch or a fork, GitHub Actions again runs the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;test&lt;/code&gt; workflow, this time with the merge commit. A &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;label&lt;/code&gt; workflow also runs to add appropriate labels to the pull request depending on which file path is being changed.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;&lt;em&gt;Note: for security reasons, workflows triggered by &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;pull_request&lt;/code&gt; from forks have restricted &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;GITHUB_TOKEN&lt;/code&gt; permissions and do not have access to secrets. If your tests or other workflows triggered upon pull request require access to secrets, consider using a different event like a &lt;a href=&quot;https://docs.github.com/en/actions/reference/events-that-trigger-workflows#manual-events&quot;&gt;manual trigger&lt;/a&gt; or a &lt;a href=&quot;https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;pull_request_target&lt;/code&gt;&lt;/a&gt;. Read more &lt;a href=&quot;https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull-request-events-for-forked-repositories&quot;&gt;here&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;
  &lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
  &lt;li&gt;Create a semantically tagged release &lt;a href=&quot;https://docs.github.com/en/github/administering-a-repository/managing-releases-in-a-repository#creating-a-release&quot;&gt;using the GitHub UI&lt;/a&gt;, also &lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace#publishing-an-action&quot;&gt;publishing to GitHub Marketplace&lt;/a&gt; with a simple checkbox.&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
  &lt;li&gt;When the release is created, GitHub Actions runs a &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;publish&lt;/code&gt; workflow that uses a community action, &lt;a href=&quot;https://github.com/JasonEtco/build-and-tag-action&quot;&gt;JasonEtco/build-and-tag-action&lt;/a&gt; to compile and bundle the JavaScript and metadata file and force push semantic major, minor, and patch tags as visualized above.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Unlike some other automated release management strategies, we intentionally do not commit dependencies to the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;main&lt;/code&gt; branch, only to the tagged release commits. By doing so, we encourage users of our action to reference named tags or &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;sha&lt;/code&gt;s, and we help ensure the security of third party pull requests by doing the build ourselves during a release.&lt;/p&gt;

&lt;p&gt;Committing to semantic releases means that the users of your actions can pin their workflows to a version and know that they might continue to receive the latest stable, non-breaking features, depending on their comfort level:&lt;/p&gt;

&lt;div class=&quot;language-text highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;### A workflow consuming your action

# The latest major release version:
uses: github-developer/javascript-action@v1

# Or, the latest minor release version:
uses: github-developer/javascript-action@v1.1

# Or, the latest patch release version:
uses: github-developer/javascript-action@v1.1.0

# Or, a specific commit sha:
uses: github-developer/javascript-action@ff958b3d4b36abb3d3058e1e866695ce6111d213
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;h4 id=&quot;open-source-like-the-best&quot;&gt;Open source like the best&lt;/h4&gt;

&lt;p&gt;Working in the open can be hard, but fortunately, GitHub provides tools and  &lt;a href=&quot;https://opensource.guide/&quot;&gt;guides&lt;/a&gt;  to make it easier. Here are a few structures we recommend setting up for healthy bidirectional communication.&lt;/p&gt;

&lt;p&gt;By providing the following signals to the community, we encourage use, modification, and contribution to our action:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Maintain a great README with plenty of usage examples, guidance, and badges
    &lt;ul&gt;
      &lt;li&gt;How to add a workflow status badge (&lt;a href=&quot;https://docs.github.com/en/actions/managing-workflow-runs/adding-a-workflow-status-badge&quot;&gt;docs&lt;/a&gt;)&lt;/li&gt;
      &lt;li&gt;Other metadata badges (&lt;a href=&quot;https://shields.io/&quot;&gt;shields.io&lt;/a&gt;)&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;
    &lt;p&gt;Set up &lt;a href=&quot;https://docs.github.com/en/github/building-a-strong-community/creating-a-default-community-health-file#supported-file-types&quot;&gt;community health files&lt;/a&gt; like &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;CODE_OF_CONDUCT&lt;/code&gt;, &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;CONTRIBUTING&lt;/code&gt;, and &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;SECURITY&lt;/code&gt;, either organization-wide or in your action repository.&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;Keep issues current by utilizing actions like &lt;a href=&quot;https://github.com/actions/stale&quot;&gt;stale&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check out more resources for building in the open &lt;a href=&quot;https://github.com/open-source&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;

&lt;h3 id=&quot;concrete-implementation&quot;&gt;Concrete implementation&lt;/h3&gt;

&lt;p&gt;Template repository: &lt;a href=&quot;https://github.com/github-developer/javascript-action&quot;&gt;https://github.com/github-developer/javascript-action&lt;/a&gt;&lt;/p&gt;

&lt;h3 id=&quot;examples&quot;&gt;Examples&lt;/h3&gt;

&lt;p&gt;Examples where similar patterns are employed include:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/github/super-linter&quot;&gt;https://github.com/github/super-linter&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/octokit/request-action&quot;&gt;https://github.com/octokit/request-action&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id=&quot;related&quot;&gt;Related&lt;/h3&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action&quot;&gt;https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace&quot;&gt;https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://opensource.guide/&quot;&gt;https://opensource.guide/&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/open-source&quot;&gt;https://github.com/open-source&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</content><author><name></name></author><category term="Integration-Resources" /><category term="Patterns" /><category term="Actions" /><summary type="html">Problem statement</summary></entry><entry><title type="html">Integrating with Code Scanning</title><link href="https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning.html" rel="alternate" type="text/html" title="Integrating with Code Scanning" /><published>2021-03-09T00:00:00+00:00</published><updated>2021-03-09T00:00:00+00:00</updated><id>https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning</id><content type="html" xml:base="https://partner.github.com/integration-resources/2021/03/09/pattern-integrating-with-code-scanning.html">&lt;h3 id=&quot;problem-statement&quot;&gt;Problem statement&lt;/h3&gt;

&lt;p&gt;Many of GitHub’s Technology Partners offering security products in the form of static analysis tooling, wish to surface their tools’ security findings directly in GitHub’s UI, making it easier for developers to adopt their tooling, and adding value to the development workflow by identifying potential vulnerabilities before they reach production. This kind of developer workflow is often associated with DevSecOps and the concept of &lt;em&gt;shifting left&lt;/em&gt;, as security analyses are performed frequently and earlier in the development process.&lt;/p&gt;

&lt;h3 id=&quot;solution&quot;&gt;Solution&lt;/h3&gt;

&lt;p&gt;A paved path exists that is tailored for this type of integration in the form of GitHub code scanning, a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production.&lt;/p&gt;

&lt;p&gt;Technology Partners can integrate their tooling with code scanning by submitting analyses in the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Static Analysis Results Interchange Format (SARIF)&lt;/code&gt; (v2.1.0) format to GitHub. This format is specified formally &lt;a href=&quot;https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html&quot;&gt;here&lt;/a&gt;, however GitHub code scanning supports only a subset of the properties, which are listed &lt;a href=&quot;https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning#supported-sarif-output-file-properties&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The analysis is typically triggered by events originating from GitHub, such as developers pushing code (the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;push&lt;/code&gt; event), opening a pull request (the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;pull_request&lt;/code&gt; event), or on some pre-determined automated schedule (i.e. once per week).&lt;/p&gt;

&lt;p&gt;Two implementation approaches are available, via GitHub Actions, or via GitHub Apps, each of which are explored further &lt;a href=&quot;#implementation-detail&quot;&gt;below&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Prior to diving in to the implementation detail, it is worth designing how your tool should structure its output using the SARIF format, with consideration for &lt;a href=&quot;https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning#supported-sarif-output-file-properties&quot;&gt;the SARIF properties that are supported by GitHub code scanning&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Commonly, this will be an iterative process:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Generate your SARIF report (potentially by hand, at least initally)&lt;/li&gt;
  &lt;li&gt;Validate your SARIF report, using the online SARIF validator at &lt;a href=&quot;https://sarifweb.azurewebsites.net/Validation&quot;&gt;sarifweb.azurewebsites.net/Validation&lt;/a&gt;
    &lt;ul&gt;
      &lt;li&gt;&lt;strong&gt;Important&lt;/strong&gt;: It is recommended to &lt;em&gt;enable&lt;/em&gt; &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;GitHub ingestion rules&lt;/code&gt;, for additional code scanning compatibility validation&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;Upload your SARIF report to GitHub code scanning for visual verification. Note: Code scanning is available for all public repositories and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see &lt;a href=&quot;https://docs.github.com/en/github/getting-started-with-github/about-github-advanced-security&quot;&gt;About GitHub Advanced Security&lt;/a&gt;.
    &lt;ul&gt;
      &lt;li&gt;Uploading may be done using &lt;a href=&quot;https://docs.github.com/en/rest/reference/code-scanning&quot;&gt;the REST API&lt;/a&gt;, via a &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;curl&lt;/code&gt; command. Note, the SARIF report must be gzipped and base64-encoded prior to being uploaded to GitHub.&lt;/li&gt;
      &lt;li&gt;Alternatively, commit the SARIF report directly to a GitHub repo and upload it to code scanning using &lt;a href=&quot;https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml&quot;&gt;the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;github/codeql-action/upload-sarif&lt;/code&gt; action&lt;/a&gt;.&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;Repeat.&lt;/li&gt;
&lt;/ol&gt;

&lt;h4 id=&quot;example-sarif-report&quot;&gt;Example SARIF report&lt;/h4&gt;

&lt;p&gt;An example SARIF report (generated by &lt;a href=&quot;https://brakemanscanner.org/&quot;&gt;the Brakeman tool&lt;/a&gt;  for &lt;a href=&quot;https://github.com/presidentbeef/brakeman/tree/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3.2&quot;&gt;an intentially vulnerable Ruby on Rails application&lt;/a&gt;), whose structure was designed by following the process outlined above, is &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3&quot;&gt;available&lt;/a&gt;:&lt;/p&gt;

&lt;p&gt;The following points warrant special mention:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;The output conforms to version &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;2.1.0&lt;/code&gt; of the SARIF spec, as indicated by &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L2-L3&quot;&gt;the top-level &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;version&lt;/code&gt; and &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;schema&lt;/code&gt; properties&lt;/a&gt;, and confirmed by &lt;a href=&quot;https://sarifweb.azurewebsites.net/Validation&quot;&gt;the online SARIF validator&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;The &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L4&quot;&gt;top-level &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;runs&lt;/code&gt; object&lt;/a&gt; is an array containing a single element, an object representing the &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L8-L10&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;tool&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L11-L369&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;rules&lt;/code&gt;&lt;/a&gt;, and &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L372-L1318&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;results&lt;/code&gt;&lt;/a&gt; of the run.
    &lt;ul&gt;
      &lt;li&gt;The tool’s &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L10&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;semanticVersion&lt;/code&gt;&lt;/a&gt; is useful to include, it’s helpful for ingestion systems to know run-over-run if a tool is updated.&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;The &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;rules&lt;/code&gt; array represents the set of vulnerabilities that the tool scans for, each rule is represnted by an &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L13&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;id&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L14&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;name&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L15-L17&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;fullDescription&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L18&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;helpUri&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L19-L22&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;help&lt;/code&gt; text&lt;/a&gt;, and an additional &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L23-L27&quot;&gt;&lt;em&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;properties&lt;/code&gt;&lt;/em&gt; bag&lt;/a&gt;
    &lt;ul&gt;
      &lt;li&gt;Each rule’s &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L13&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;id&lt;/code&gt;&lt;/a&gt; uses a prefix that is representative of the tool name, &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;BRAKE&lt;/code&gt; in this instance, followed by a numeric identifier. This helps with filtering of rules in the GitHub code scanning UI&lt;/li&gt;
      &lt;li&gt;Each rule’s &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L14&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;name&lt;/code&gt;&lt;/a&gt; is a hierarchical property, this makes sense for this particular tool and othes may also adopt this pattern where it makes sense&lt;/li&gt;
      &lt;li&gt;Each rule’s &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L16&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;fullDescription&lt;/code&gt;&lt;/a&gt; ends with a period, which helps facilitate a consistent user experience when the rule is rendered by GitHub code scanning&lt;/li&gt;
      &lt;li&gt;Each rule’s &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L19-L22&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;help&lt;/code&gt;&lt;/a&gt; references an external article via a URL. Generally it is preferred to include the help text inline, within the SARIF report, but for this implementation this was not straightforward, and will hopefully be addressed in a subsequent iteration.&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;The &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;results&lt;/code&gt; array captures the results of the analysis, with each violation of a rule being captured in a single result entry. For example, rule &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;BRAKE0014&lt;/code&gt; is violated five times, as indicated by results on lines &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L437&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;437&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L458&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;458&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L479&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;479&lt;/code&gt;&lt;/a&gt;, and &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L500&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;500&lt;/code&gt;&lt;/a&gt;, &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L521&quot;&gt;&lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;521&lt;/code&gt;&lt;/a&gt;
    &lt;ul&gt;
      &lt;li&gt;Each result’s entry references the rule being violated, via the &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L374-L375&quot;&gt;rule’s &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;id&lt;/code&gt; and position in the rules array&lt;/a&gt;&lt;/li&gt;
      &lt;li&gt;Each result’s entry maps onto a source file via &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L380-L392&quot;&gt;the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;locations&lt;/code&gt; array&lt;/a&gt;, for portability across systems, the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;uri&lt;/code&gt; is expressed &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L384-L385&quot;&gt;a path relative to &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;%SRCROOT%&lt;/code&gt;&lt;/a&gt;&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The following screenshot shows the GitHub code scanning representation of a violation of rule &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;BRAKE0014&lt;/code&gt;, derived from the corresponding result object on &lt;a href=&quot;https://gist.github.com/githubteacher/e8bfcff2c48f3a5814eb71328040c3e3#file-example-sarif-json-L520-L540&quot;&gt;lines &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;520&lt;/code&gt; through &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;540&lt;/code&gt;&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;img src=&quot;https://user-images.githubusercontent.com/27806/110868071-7c291980-828d-11eb-9423-f48c6af9be02.jpeg&quot; alt=&quot;code-scanning-example&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Note, this is a relatively straightforward SARIF report, more sophisticated constructs are possible. To learn more, it is recommended to follow &lt;a href=&quot;https://github.com/microsoft/sarif-tutorials&quot;&gt;the SARIF tutorials&lt;/a&gt;, and review &lt;a href=&quot;https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html&quot;&gt;the specification&lt;/a&gt;.&lt;/p&gt;

&lt;h4 id=&quot;implementation-detail&quot;&gt;Implementation detail&lt;/h4&gt;

&lt;p&gt;Once you are satisfied with the structure of the SARIF produced by your tool, there are two primary approaches when integrating it with code scanning:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Via &lt;strong&gt;GitHub Actions&lt;/strong&gt;&lt;/li&gt;
  &lt;li&gt;Via &lt;strong&gt;GitHub Apps&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The &lt;em&gt;former&lt;/em&gt; is generally applicable where:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;The tooling is installable as a CLI tool that can easily execute on GitHub’s compute (e.g. Brakeman, detekt), -or-&lt;/li&gt;
  &lt;li&gt;The tooling may be easily invoked via public or authenticated API calls. Tokens for authentication may be held in GitHub as &lt;a href=&quot;https://docs.github.com/en/actions/reference/encrypted-secrets&quot;&gt;encrypted secrets&lt;/a&gt;.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The &lt;em&gt;latter&lt;/em&gt; is more suitable for solutions that have unique compute requirements, or that have user-facing elements (such as configuration controls or dashboards), potentially via a dedicated web UI or control panel.&lt;/p&gt;

&lt;p&gt;GitHub Actions and GitHub Apps are both covered in more detail in &lt;a href=&quot;https://docs.google.com/presentation/d/e/2PACX-1vTDcjQIt_TD91ui6_PS9bpazHwzGs1rF7LxS0RUpja8OqwHk6gRN7esLMF7wfnPsGX_iI_xRYRUn9O1/pub?start=false&amp;amp;loop=false&amp;amp;delayms=3000&amp;amp;slide=id.g7b50c989b4_0_0&quot;&gt;the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;Platform Integration 101&lt;/code&gt; presentation&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Additional resources are also available for both &lt;a href=&quot;https://partner.github.com/resources?filters=Actions&quot;&gt;GitHub Actions&lt;/a&gt; and &lt;a href=&quot;https://partner.github.com/resources?filters=GitHub_Apps&quot;&gt;GitHub Apps&lt;/a&gt;&lt;/p&gt;

&lt;h4 id=&quot;onboarding-your-integration-into-the-github-code-scanning-ui&quot;&gt;Onboarding your integration into the GitHub code scanning UI&lt;/h4&gt;

&lt;p&gt;When complete, the onboarding of your integration into the GitHub code scanning can be initiated by opening a new pull request in &lt;a href=&quot;https://github.com/actions/starter-workflows&quot;&gt;the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;actions/starter-workflows&lt;/code&gt; repo&lt;/a&gt;. Additional instructions are located in the pull request template.&lt;/p&gt;

&lt;h4 id=&quot;publication-to-github-marketplace&quot;&gt;Publication to GitHub Marketplace&lt;/h4&gt;

&lt;p&gt;In addition to onboarding into the code scanning UI, we highly recommend publishing your integration to Marketplace for increased visibility.&lt;/p&gt;

&lt;p&gt;Additional information is available for both &lt;a href=&quot;https://docs.github.com/en/free-pro-team@latest/actions/creating-actions/publishing-actions-in-github-marketplace&quot;&gt;GitHub Actions&lt;/a&gt; and &lt;a href=&quot;https://docs.github.com/en/free-pro-team@latest/developers/apps/installing-github-apps#offering-your-app-in-the-github-marketplace&quot;&gt;GitHub Apps&lt;/a&gt;.&lt;/p&gt;

&lt;h3 id=&quot;examples&quot;&gt;Examples&lt;/h3&gt;

&lt;p&gt;Existing implementations and examples are available:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Brakeman SARIF implementation: &lt;a href=&quot;https://github.com/presidentbeef/brakeman/pull/1500&quot;&gt;github.com/presidentbeef/brakeman/pull/1500&lt;/a&gt; (Brakeman is an open source statis analysis tool, popular in the Ruby on Rails community)&lt;/li&gt;
  &lt;li&gt;Code Scanning &lt;em&gt;playground&lt;/em&gt;: &lt;a href=&quot;https://github.com/swinton/code-scanning-playground&quot;&gt;github.com/swinton/code-scanning-playground&lt;/a&gt; (a &lt;em&gt;forkable&lt;/em&gt; template repo, showing a simple code scanning workflow leveraging ESlint)&lt;/li&gt;
&lt;/ol&gt;

&lt;h3 id=&quot;related&quot;&gt;Related&lt;/h3&gt;

&lt;h4 id=&quot;resources-for-learning-sarif&quot;&gt;Resources for learning SARIF&lt;/h4&gt;

&lt;p&gt;Useful resources for learning SARIF are available:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;SARIF tutorials from Microsoft: &lt;a href=&quot;https://github.com/microsoft/sarif-tutorials&quot;&gt;github.com/microsoft/sarif-tutorials&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;SARIF Validator web-based tool: &lt;a href=&quot;https://sarifweb.azurewebsites.net/Validation&quot;&gt;sarifweb.azurewebsites.net/Validation&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;SARIF specification, v2.1.0: &lt;a href=&quot;https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html&quot;&gt;docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h4 id=&quot;further-documentation&quot;&gt;Further documentation&lt;/h4&gt;

&lt;p&gt;Further documentation is available on GitHub.com, including:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;SARIF support for code scanning: &lt;a href=&quot;https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/&quot;&gt;docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;Code scanning REST API: &lt;a href=&quot;https://docs.github.com/en/rest/reference/code-scanning&quot;&gt;docs.github.com/rest/reference/code-scanning&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;</content><author><name></name></author><category term="Integration-Resources" /><category term="Patterns" /><category term="Actions" /><category term="Apps" /><category term="DevSecOps" /><category term="CodeScanning" /><summary type="html">Problem statement</summary></entry></feed>