From February 2021, in order to provide feedback on pull requests, Code Scanning workflows must be configured with both push and pull_request triggers. This is because Code Scanning compares the results from a pull request against the results for the base branch to tell you only what has changed between the two.
Early in the beta period we supported displaying results on pull requests for workflows with only push triggers, but have discontinued support as this proved to be less robust.
From February 2021, in order to provide feedback on pull requests, Code Scanning workflows must be configured with both
push
andpull_request
triggers. This is because Code Scanning compares the results from a pull request against the results for the base branch to tell you only what has changed between the two.Early in the beta period we supported displaying results on pull requests for workflows with only
push
triggers, but have discontinued support as this proved to be less robust.See https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#scanning-pull-requests for more information on how best to configure your Code Scanning workflows.