DefectDojo · valentijnscholten · Oct 22, 2025 · Jul 10, 2025 · Jul 10, 2025 · Jul 10, 2025
@@ -0,0 +1,9 @@
+---
+title: "Github SAST Scan"
+toc_hide: true
+---
+Import findings in JSON format from Github Code Scanning REST API:
+<https://docs.github.com/en/rest/code-scanning/code-scanning>
+
+### Sample Scan Data
+Sample Github SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/github_sast).
@@ -1,5 +1,5 @@
 ---
-title: "Github Vulnerability"
+title: "Github Vulnerability Scan"
 toc_hide: true
 ---
 Import findings from Github vulnerability scan (GraphQL Query):
@@ -15,6 +15,8 @@ vulnerabilityAlerts (RepositoryVulnerabilityAlert object)
     + createdAt (optional)
     + vulnerableManifestPath
     + state (optional)
+    + dependabotUpdate (DependabotUpdate object) (optional)
+        + pullRequest (PullRequest object) (optional)
     + securityVulnerability (SecurityVulnerability object)
         + severity (CRITICAL/HIGH/LOW/MODERATE)
         + package (optional)
@@ -27,10 +29,17 @@ vulnerabilityAlerts (RepositoryVulnerabilityAlert object)
                     + value
                 + references (optional)
                     + url (optional)
-                + cvss (optional)
+                + cvss (optional - deprecated, use cvssSeverities instead)
                     + score (optional)
                     + vectorString (optional)
+                + cvssSeverities (optional)
+                    + cvssV3 (CVSS object) (optional)
+                        + score (optional)
+                        + vectorString (optional)
                 + cwes (optional)
+                + epss (EPSS object) (optional)
+                    + percentage (optional)
+                    + percentile (optional)
 ```
 
 References:

@@ -36,6 +36,13 @@ The following Helm chart values have been modified in this release:
 - **Enhanced probe configuration for Celery**: Added support for customizing liveness, readiness, and startup probes in both Celery beat and worker deployments.
 - **Enhanced environment variable management**: All deployments now include `extraEnv` support for adding custom environment variables. For backwards compatibility, `.Values.extraEnv` can be used to inject common environment variables to all workloads.
 
+## GitHub Scan Type and Parser Updates
+The Github Vulnerability scan type and parser has been split into two disctinct scan types:
+- [Github Vulnerability](https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/github_vulnerability.md) (original)
+- [Github SAST](https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/github_sast.md)
+
+The original Github Vulnerability scan type will continue to accept SCA vulnerabilities uploaded in GitHub's GraphQL format, as it has always done. It will also continue to accept SAST uploads, however we recommend upgrading to the new Github SAST scan type for uploading these types of vulnerabilities going forward. This new scan type will accept the raw JSON response from [GitHub's REST API for code scanning alerts](https://docs.github.com/en/rest/code-scanning/code-scanning). Sample Github SAST scan data can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/github_sast).
+
 ### Other changes
 
 - **Celery pod annotations**: Now we can add annotations to Celery beat/worker pods separately.

@@ -1306,6 +1306,7 @@ def saml2_attrib_map_format(din):
     "JFrog Xray On Demand Binary Scan": ["title", "component_name", "component_version"],
     "Scout Suite Scan": ["file_path", "vuln_id_from_tool"],  # for now we use file_path as there is no attribute for "service"
     "Meterian Scan": ["cwe", "component_name", "component_version", "description", "severity"],
+    "Github SAST Scan": ["vuln_id_from_tool", "severity", "file_path", "line"],
     "Github Vulnerability Scan": ["title", "severity", "component_name", "vulnerability_ids", "file_path"],
     "Solar Appscreener Scan": ["title", "file_path", "line", "severity"],
     "pip-audit Scan": ["vuln_id_from_tool", "component_name", "component_version"],
@@ -1550,6 +1551,7 @@ def saml2_attrib_map_format(din):
     "Scout Suite Scan": DEDUPE_ALGO_HASH_CODE,
     "AWS Security Hub Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
     "Meterian Scan": DEDUPE_ALGO_HASH_CODE,
+    "Github SAST Scan": DEDUPE_ALGO_HASH_CODE,
     "Github Vulnerability Scan": DEDUPE_ALGO_HASH_CODE,
     "Cloudsploit Scan": DEDUPE_ALGO_HASH_CODE,
     "SARIF": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,

@@ -0,0 +1,84 @@
+import json
+from urllib.parse import urlparse
+
+from dojo.models import Finding
+
+
+class GithubSASTParser:
+    def get_scan_types(self):
+        return ["Github SAST Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return scan_type
+
+    def get_description_for_scan_types(self, scan_type):
+        return "GitHub SAST report file can be imported in JSON format."
+
+    def get_findings(self, filename, test):
+        data = json.load(filename)
+        if not isinstance(data, list):
+            error_msg = "Invalid SAST report format, expected a JSON list of alerts."
+            raise TypeError(error_msg)
+
+        findings = []
+        for vuln in data:
+            rule = vuln.get("rule", {})
+            inst = vuln.get("most_recent_instance", {})
+            loc = inst.get("location", {})
+            html_url = vuln.get("html_url")
+            rule_id = rule.get("id")
+            title = f"{rule.get('description')} ({rule_id})"
+            severity = rule.get("security_severity_level", "Info").title()
+            active = vuln.get("state") == "open"
+
+            # Build description with context
+            desc_lines = []
+            if html_url:
+                desc_lines.append(f"GitHub Alert: [{html_url}]({html_url})")
+            owner = repo = None
+            commit_sha = inst.get("commit_sha")
+            if html_url:
+                parsed = urlparse(html_url)
+                parts = parsed.path.strip("/").split("/")
+                # URL is /<owner>/<repo>/security/... so parts[0]=owner, parts[1]=repo
+                if len(parts) >= 2:
+                    owner, repo = parts[0], parts[1]
+            if owner and repo and commit_sha and loc.get("path") and loc.get("start_line"):
+                file_link = (
+                    f"{parsed.scheme}://{parsed.netloc}/"
+                    f"{owner}/{repo}/blob/{commit_sha}/"
+                    f"{loc['path']}#L{loc['start_line']}"
+                )
+                desc_lines.append(f"Location: [{loc['path']}:{loc['start_line']}]({file_link})")
+            elif loc.get("path") and loc.get("start_line"):
+                # fallback if something is missing
+                desc_lines.append(f"Location: {loc['path']}:{loc['start_line']}")
+            msg = inst.get("message", {}).get("text")
+            if msg:
+                desc_lines.append(f"Message: {msg}")
+            if severity:
+                desc_lines.append(f"Rule Severity: {severity}")
+            if rule.get("full_description"):
+                desc_lines.append(f"Description: {rule.get('full_description')}")
+            description = "\n".join(desc_lines)
+
+            finding = Finding(
+                title=title,
+                test=test,
+                description=description,
+                severity=severity,
+                active=active,
+                static_finding=True,
+                dynamic_finding=False,
+                vuln_id_from_tool=rule_id,
+            )
+
+            # File path & line
+            finding.file_path = loc.get("path")
+            finding.line = loc.get("start_line")
+
+            if html_url:
+                finding.url = html_url
+
+            findings.append(finding)
+        return findings