// Retrieves and groups GitHub code scanning alerts by rule and severity using the gh CLI - Brought to you by microsoft/hve-core
Text-to-speech voice-over generation from YAML speaker notes using Azure Speech SDK with SSML pronunciation control - Brought to you by microsoft/hve-core
PowerPoint slide deck generation and management using python-pptx with YAML-driven content and styling - Brought to you by microsoft/hve-core
OWASP Docker Top 6 vulnerability knowledge base for identifying, assessing, and remediating security risks in containerized Docker environments - Brought to you by microsoft/hve-core.
Generate customer-card PowerPoint content YAML from Design Thinking canonical artifacts and build using the shared PowerPoint skill pipeline - Brought to you by microsoft/hve-core
Decision-driven installer for HVE-Core with 6 clone-based installation methods, extension quick-install, environment detection, and agent customization workflows - Brought to you by microsoft/hve-core
Generates PR reference XML containing commit history and unified diffs between branches with extension and path filtering. Includes utilities to list changed files by type and read diff chunks. Use when creating pull request descriptions, preparing code reviews, analyzing branch changes, discovering work items from diffs, or generating structured diff summaries. - Brought to you by microsoft/hve-core
| name | gh-code-scanning |
| description | Retrieves and groups GitHub code scanning alerts by rule and severity using the gh CLI - Brought to you by microsoft/hve-core |
| license | MIT |
| compatibility | Requires pwsh 7+ and gh CLI authenticated with the security_events scope. Bash script requires jq. |
| metadata | {"authors":"microsoft/hve-core","spec_version":"1.0","last_updated":"2026-04-21"} |
GitHub code scanning alerts are produced by static analysis tools such as CodeQL and Scorecard and surfaced in the GitHub Security tab. The GitHub Security tab is not accessible through the default MCP toolset, so this skill provides scripts for all read operations.
| Requirement | Details |
|---|---|
pwsh | PowerShell 7+; install from https://learn.microsoft.com/powershell |
gh CLI | Installed and on PATH; install from https://cli.github.com |
| Auth | Run gh auth login or set GH_TOKEN; requires security_events scope |
| Scope | security_events for private repos; public_repo for public-only |
The repo scope also satisfies security_events. The gh CLI handles authentication automatically; no explicit token passing is needed in commands.
Get-CodeScanningAlerts.ps1 validates both prerequisites at startup and aborts with a targeted error message if either check fails.
Run this command to get a grouped summary of open code scanning alerts, sorted by frequency. This is the recommended first command when triaging a repository's code scanning posture.
pwsh scripts/Get-CodeScanningAlerts.ps1 -Owner "{owner}" -Repo "{repo}" -OutputFormat Json
This returns a JSON array of alert groups sorted by occurrence count, descending. Always use -OutputFormat Json when consuming results programmatically.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
-Owner | String | Yes | GitHub organization or user that owns the repository | |
-Repo | String | Yes | Repository name | |
-OutputFormat | String | No | Table | Output format: agents must always use Json for programmatic consumption; GroupedJson is accepted as an alias for Json |
-Branch | String | No | main | Branch to scope alert results |
These parameters apply to
Get-CodeScanningAlerts.ps1. For bash script flags including-s {severity}, see the Script Reference section below.
Groups and sorts open code scanning alerts by occurrence count, descending.
# JSON output for programmatic consumption
pwsh scripts/Get-CodeScanningAlerts.ps1 -Owner "{owner}" -Repo "{repo}" -OutputFormat Json
# Scope to a specific branch
pwsh scripts/Get-CodeScanningAlerts.ps1 -Owner "{owner}" -Repo "{repo}" -Branch "{branch}" -OutputFormat Json
Groups and sorts open code scanning alerts by occurrence count, descending. Requires jq.
# JSON output for programmatic consumption
bash scripts/get-code-scanning-alerts.sh -o "{owner}" -r "{repo}"
# Scope to a specific branch
bash scripts/get-code-scanning-alerts.sh -o "{owner}" -r "{repo}" -b "{branch}"
# Filter by severity
bash scripts/get-code-scanning-alerts.sh -o "{owner}" -r "{repo}" -s critical
Use this skill when the task involves reading code scanning alerts only. Get-CodeScanningAlerts.ps1 is the only supported method for listing and grouping code scanning alerts. gh api must not be used as a fallback for listing or grouping.
When the GitHub MCP server is configured with the code_security toolset, read-only access to code scanning alerts is available without gh api. Enable via toolsets: all or explicit toolset configuration.
Always run with -OutputFormat Json. Parse the JSON output and present it to the user.
pwsh scripts/Get-CodeScanningAlerts.ps1 -Owner "{owner}" -Repo "{repo}" -OutputFormat Json
Use -Branch {branch} to scope to a branch other than main.
-OutputFormat Json returns an array of group objects:
[
{
"RuleDescription": "Empty except",
"RuleId": "py/empty-except",
"Tool": "CodeQL",
"SecuritySeverity": null,
"Severity": "warning",
"Count": 23,
"AffectedPaths": [
"scripts/collections/Get-CollectionItems.py",
"scripts/linting/Validate-MarkdownFrontmatter.py"
],
"HasFilePaths": true,
"AlertUrl": "https://github.com/microsoft/hve-core/security/code-scanning/42",
"FindingDescription": "'except' clause does nothing but pass and there is no explanatory comment."
},
{
"RuleDescription": "Code injection",
"RuleId": "actions/code-injection/medium",
"Tool": "CodeQL",
"SecuritySeverity": "medium",
"Severity": "error",
"Count": 2,
"AffectedPaths": [
".github/workflows/validate.yml"
],
"HasFilePaths": true,
"AlertUrl": "https://github.com/microsoft/hve-core/security/code-scanning/17",
"FindingDescription": "Potential code injection in ${{ inputs.version }}, which may be controlled by an external user."
},
{
"RuleDescription": "Branch-Protection",
"RuleId": "BranchProtectionID",
"Tool": "Scorecard",
"SecuritySeverity": "high",
"Severity": "error",
"Count": 1,
"AffectedPaths": [],
"HasFilePaths": false,
"AlertUrl": "https://github.com/microsoft/hve-core/security/code-scanning/1",
"FindingDescription": "score is 9: branch protection is not maximal on development and all release branches"
}
]
SecuritySeverity is null for code quality rules that have no security classification; Severity (the non-security rule severity: error, warning, note, none) provides a fallback. AffectedPaths is always a JSON array of unique, sorted file paths with sentinel strings filtered out. HasFilePaths is false and AffectedPaths is [] when an alert has no associated source file (for example, BranchProtectionID). AlertUrl links directly to the alert in the GitHub Security tab. FindingDescription is the most recent alert message text.
This call returns one record; it is not a listing or grouping operation and does not conflict with the gh api restriction above.
gh api repos/{owner}/{repo}/code-scanning/alerts/{alert_number}
Use -OutputFormat Json and read the AffectedPaths field from each rule group. The JSON output includes RuleDescription, RuleId, Tool, SecuritySeverity, Severity, Count, AffectedPaths (unique, sorted file paths), HasFilePaths (boolean: false for repo-level rules that have no associated source file), AlertUrl (string: direct link to the alert in the GitHub Security tab), and FindingDescription (string: most recent alert message text from the analysis tool) per group.
These are GitHub API response field paths, not output object properties. The grouped output object field names are listed in the JSON output shape section above.
rule.security_severity_level: security severity tier: critical, high, medium, or low; null for code quality rulesrule.severity: non-security rule severity: error, warning, note, or none; always populatedrule.id: rule identifier used for deduplication and cross-referencingtool.name: analysis tool that produced the alert (for example, CodeQL)most_recent_instance.location.path: source file path of the most recent alert occurrenceThese calls retrieve analysis metadata, not alert listings, and do not conflict with the gh api restriction above.
Returns the last 10 CodeQL runs on the main branch.
gh api repos/{owner}/{repo}/code-scanning/analyses \
-f tool_name=CodeQL \
-f ref=refs/heads/main \
-f per_page=10
created_at: timestamp of the analysis runresults_count: number of alerts producedrules_count: number of rules evaluatedtool.version: version of the analysis toolwarning / error: any issues reported during analysisSearch for an existing issue using the title and an embedded automation marker before creating a new one.
existing=$(gh issue list --repo "{owner}/{repo}" \
--search "\"[Security] {rule_description}\" in:title" \
--state open --json number --jq '.[0].number // empty')
if [[ -z "$existing" ]]; then
gh issue create --repo "{owner}/{repo}" \
--title "[Security] {rule_description}" \
--label "security" \
--body "<!-- automation:security-scan:{rule_id} -->
## Code Scanning Alert: {rule_description}
**Rule:** \`{rule_id}\`
$([ -n "{severity}" ] && echo "**Severity:** {severity}")
**Tool:** {tool}
**Affected files:** {count} occurrences
### Affected paths
{affected_paths}
"
fi
The automation marker <!-- automation:security-scan:{rule_id} --> is embedded in the issue body and serves as the deduplication anchor. Replace all {placeholders} with actual values from the alert-grouping JSON output.
| Symptom | Likely cause | Fix |
|---|---|---|
gh CLI not found. Install it from https://cli.github.com | gh CLI not on PATH | Install from https://cli.github.com, then re-open your terminal |
gh CLI is not authenticated. Run 'gh auth login' | gh auth not completed | Run gh auth login; ensure security_events scope is granted |
HTTP 403 Resource not accessible by integration | Missing security_events scope on token | Re-authenticate: gh auth refresh -s security_events or set GH_TOKEN with appropriate scope |
Empty results [] | Wrong ref format or no alerts on that branch | Omit -f ref= to search all branches, or use refs/heads/main format (not just main) |
bash: jq: command not found | jq not installed | Install via brew install jq (macOS), apt-get install jq (Debian/Ubuntu), or from https://jqlang.github.io/jq/ |
Brought to you by microsoft/hve-core
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.