Skip to content

CodeScan Scanner

Use the CodeScan Scanner in your workflows to track bugs, code smells and vulnerabilities in Salesforce languages
Star (6)




Run CodeScan static code analysis jobs from Github workflow. The CodeScan action produces SARIF report file with analysis results.

Input parameters for Action

Parameter name Required / Default value Description
organization required Organization Key
projectKey required Project Key
login required Security authentication key for the user having scan access for the project
codeScanUrl CodeScanCloud endpoint for your project
pollingTimeoutSec 900 Timeout to wait for Post-Analysis report generation is completed (in seconds)
scanChangedFilesOnly true The flag to indicate that PR scans should only analyze added, changed or modified files in the PR.
generateReportFile true The flag to indicate that SARIF file should be generated on client side.
generateSarifFile false The flag to indicate that SARIF file should be generated on server side.
failOnRedQualityGate false The flag to indicate that pipeline will fail in case of quality gate status failed.
args Optional parameters passed to CodeScan analyzer

Example of using Action in Github Workflow

    -   name: Run Analysis
        uses: codescan-io/codescan-scanner-action@master
            login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
            organization: test-org
            projectKey: test-java-project
            args: |

SARIF file output

By default the Action will generate SARIF report file on client side. You can disable this feature via generateReportFile input parameter.

SARIF report file can also generated on server side. This feature can be enabled via generateSarifFile input parameter.

As a next Workflow step you have to upload SARIF file:

    -   name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
            sarif_file: codescan.sarif

When SARIF file is uploaded, you can view, fix, and close alerts for potential vulnerabilities or errors in your project's code. For details read this article: Managing alerts from code scanning

CodeScan Scanner is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.


Use the CodeScan Scanner in your workflows to track bugs, code smells and vulnerabilities in Salesforce languages



CodeScan Scanner is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.