Uploading a SARIF file to GitHub
You can upload SARIF files generated outside GitHub and see code scanning alerts from third- party tools in your repository Uploading a code scanning analysis with GitHub Actions To use GitHub Actions to upload a third-party SARIF file to a repository, you'll need a workflow.
Your workflow will need to use the upload-sarif action, which is part of the github/codeql-action repository. It has input parameters that you can use to configure the upload. The main input parameters you'll use are:
sarif_file, which configures the file or directory of SARIF files to be uploaded. The directory or file path is relative to the root of the repository.
category (optional), which assigns a category for results in the SARIF file. This enables you to analyze the same commit in multiple ways and review the results using the code scanning views in GitHub. For example, you can analyze using multiple tools, and in mono-repos, you can analyze different slices of the repository based on the subset of changed files.

Set code scanning merge protection
You can use rulesets to set code scanning merge protection for pull requests.
You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
A required tool found a code scanning alert of a severity that is defined in a ruleset.
A required code scanning tool's analysis is still in progress.
A required code scanning tool is not configured for the repository.
Note:
Creating a merge protection ruleset for a repository
1. On GitHub, navigate to the main page of the repository.
2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
3. In the left sidebar, under "Code and automation," click Rules, then click Rulesets.
4. Click New ruleset.
5. To create a ruleset targeting branches, click New branch ruleset.
6. Under "Ruleset name," type a name for the ruleset.
7. Optionally, to change the default enforcement status, click Disabled and select an enforcement status.
8. Under "Branch protections", select Require code scanning results.
9. Under "Required tools and alert thresholds", click Add tool and select a code scanning tool with the dropdown. For example, "CodeQL".
10. Next to the name of a code scanning tool:
Click Alerts and select one of: None, Errors, Errors and Warnings or All.
Click Security alerts and select one of: None, Critical, High or higher, Medium or higher, or All.

About access management for repositories
For each repository that you administer on GitHub, you can see an overview of every team or person with access to the repository. From the overview, you can also invite new teams or people, change each team or person's role for the repository, or remove access to the repository.
This overview can help you audit access to your repository, onboard or off-board contractors or employees, and effectively respond to security incidents.
Inviting a team or person
1. On GitHub, navigate to the main page of the repository.
2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

3. In the "Access" section of the sidebar, click Collaborators & teams.
4.To the right of "Manage access", click Add people or Add teams.
5. In the search field, start typing the name of the team or person to invite, then click a name in the list of matches.
6. Under "Choose a role", select the repository role to grant to the team or person, then click Add NAME to REPOSITORY.

Performing validity checks
Validity checks help you prioritize alerts by telling you which secrets are active or inactive.