Been looking into low effort and high impact options for code scanning on GitHub.

The two that I’ve found that work well, regardless of language of the repository, are Codacy and DevSkim, both of which can output SARIF.

https://github.com/daveio/shared/tree/main/.github/workflows