When clicking on a finding in the Code Scanning Overview dashboard, the URL should point to the finding in GitHub.

The finding URL is available in the webhook message at alert.html_url

Sample webhook payload from Code Scanning:

{ [-]
   action: created
   alert: { [-]
     created_at: 2022-02-10T16:34:12Z
     dismissed_at: null
     dismissed_by: null
     dismissed_reason: null
     fixed_at: null
     html_url: https://github.com/octodemo/NodeGoat/security/code-scanning/2096
     instances_url: https://api.github.com/repos/octodemo/NodeGoat/code-scanning/alerts/2096/instances
     most_recent_instance: { [+]
     }

Reference:
The other item, I think we'll be adding Security Scanning to that list of Security issues in the near future as well. So might be better to find a way to link to the alert in GitHub, rather than the CVE directly.

Originally posted by @derkkila-splunk in #29 (comment)