GitHub Code Scanning (SARIF) for `docker-compose.yml`

Show Compose misconfigurations in GitHub’s Security → Code scanning UI (SARIF upload).

Minimal workflow

name: Compose scan
on: [push, pull_request]

permissions:
  contents: read
  security-events: write

jobs:
  configsentry:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: alfredMorgenstern/configsentry@v0.0.28
        with:
          target: .
          sarif: true
          upload-sarif: true
          fail-on-findings: false

More docs: action-usage.md

Common pitfalls

Missing permissions: security-events: write → SARIF upload fails.
Use baselines for incremental rollout in existing repos.