GitHub Code Scanning Integration

import { Aside } from ‘@astrojs/starlight/components’;

This guide shows how to surface surviving mutants as GitHub Code Scanning alerts using Mull’s SARIF reporter.

We use mull-demo as an example.

Note

Code Scanning is a security feature designed for vulnerability detection. Mutation testing results are not security issues — we’re repurposing the infrastructure because it offers convenient pull request integration and alert tracking. There is no deeper connection between mutation testing and security scanning.

Prerequisites

• Code Scanning enabled (public repos: on by default; private repos: requires GitHub Advanced Security)
• Workflow permission: security-events: write

Workflow

name: Mutation Testing

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  security-events: write

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  mutation-testing:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:26.04
    steps:
      - name: Install prerequisites
        run: apt-get update && apt-get install -y curl ca-certificates git clang-22

      - name: Mark workspace as safe for git
        run: git config --global --add safe.directory '*'

      - uses: actions/checkout@v4

      - name: Install mull from nightly
        run: |
          curl -1sLf 'https://dl.cloudsmith.io/public/mull-project/mull-stable/setup.deb.sh' | bash
          apt-get install -y mull-22

      - name: Build
        run: |
          clang-22 \
            -fpass-plugin=/usr/lib/mull-ir-frontend-22 \
            -g -grecord-command-line \
            range_tests.c -o range_tests

      - name: Run mull
        run: |
          mull-runner-22 \
            --reporters GitHubAnnotations \
            --reporters Sarif \
            --report-name mull-report \
            --report-patch-base $(realpath .) \
            --allow-surviving \
            range_tests

      - name: Upload SARIF to Code Scanning
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: mull-report.sarif

• --reporters Sarif generates mull-report.sarif for Code Scanning; --reporters GitHubAnnotations adds inline annotations to the PR diff.
• --allow-surviving lets the job continue to the upload step even when mutants survive.
• --report-patch-base $(realpath .) makes file paths relative so GitHub can map alerts to files. See the SARIF reporter note for why $(realpath .) is needed on GitHub Actions.

Result

Surviving mutants appear in the Security tab as code scanning alerts and as inline comments on pull requests. Alerts are automatically closed when the mutant is killed in a later run.