Skip to main content

此版本的 GitHub Enterprise 已停止服务 2022-06-03. 即使针对重大安全问题,也不会发布补丁。 要获得更好的性能、改进的安全性和新功能,请升级到 GitHub Enterprise 的最新版本。 如需升级方面的帮助,请联系 GitHub Enterprise 支持

Installing CodeQL CLI in your CI system

You can install the CodeQL CLI and use it to perform CodeQL 代� �扫描 in a third-party continuous integration system.

代� �扫描 适用于启用了 GitHub Advanced Security 的组织拥有的仓库。 更多信息请参阅“关于 GitHub Advanced Security”。

Note: Your site administrator must enable 代� �扫描 for 您的 GitHub Enterprise Server 实例 before you can use this feature. For more information, see "Configuring 代� �扫描 for your appliance."

About using the CodeQL CLI for 代� �扫描

You can use the CodeQL CLI to run 代� �扫描 on code that you're processing in a third-party continuous integration (CI) system. 代� �扫描 是一项功能,可用于分析 GitHub 仓库中的代� �,以查找安全漏洞和编� �错误。 分析发现的任何问题都显示在 GitHub Enterprise Server 中。 For information, see "About 代� �扫描 with CodeQL." For recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis, see "Recommended hardware resources for running CodeQL."

CodeQL CLI 是一个可用来分析代� �的独立产品。 其主要用途是生成代� �空间的数据库表示形式,即 CodeQL 数据库。 数据库准备就绪后,您可以进行交互式查询,或者运行一系列查询以生成一组 SARIF � �式的结果,然后将结果上� 到 您的 GitHub Enterprise Server 实例。

Alternatively, you can use GitHub Actions to run 代� �扫描 within GitHub Enterprise Server. For information about 代� �扫描 using actions, see "Setting up 代� �扫描 for a repository." For an overview of the options for CI systems, see "About CodeQL 代� �扫描 in your CI system".

注意: CodeQL CLI 可用于拥有 Advanced Security 许可证的客户。

Downloading the CodeQL CLI

You should download the CodeQL bundle from https://github.com/github/codeql-action/releases. The bundle contains:

  • CodeQL CLI product
  • A compatible version of the queries and libraries from https://github.com/github/codeql
  • Precompiled versions of all the queries included in the bundle
For GitHub Enterprise Server 3.1, we recommend CodeQL CLI version 2.6.3.

You should always use the CodeQL bundle as this ensures compatibility and also gives much better performance than a separate download of the CodeQL CLI and checkout of the CodeQL queries. If you will only be running the CLI on one specific platform, download the appropriate codeql-bundle-PLATFORM.tar.gz file. Alternatively, you can download codeql-bundle.tar.gz, which contains the CLI for all supported platforms.

Setting up the CodeQL CLI in your CI system

You need to make the full contents of the CodeQL CLI bundle available to every CI server that you want to run CodeQL 代� �扫描 analysis on. For example, you might configure each server to copy the bundle from a central, internal location and extract it. Alternatively, you could use the REST API to get the bundle directly from GitHub, ensuring that you benefit from the latest improvements to queries. Updates to the CodeQL CLI are released every 2-3 weeks. For example:

$ wget https://HOSTNAME/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.gz
$ tar -xvzf ./codeql-bundle-linux64.tar.gz

After you extract the CodeQL CLI bundle, you can run the codeql executable on the server:

  • By executing /<extraction-root>/codeql/codeql, where <extraction-root> is the folder where you extracted the CodeQL CLI bundle.
  • By adding /<extraction-root>/codeql to your PATH, so that you can run the executable as just codeql.

Testing the CodeQL CLI set up

After you extract the CodeQL CLI bundle, you can run the following command to verify that the CLI is correctly set up to create and analyze databases.

  • codeql resolve qlpacks if /<extraction-root>/codeql is on the PATH.
  • /<extraction-root>/codeql/codeql resolve qlpacks otherwise.

Extract from successful output:

codeql/cpp-all (/<extraction-root>/qlpacks/codeql/cpp-all/<version>)
codeql/cpp-examples (/<extraction-root>/qlpacks/codeql/cpp-examples/<version>)
codeql/cpp-queries (/<extraction-root>/qlpacks/codeql/cpp-queries/<version>)
codeql/csharp-all (/<extraction-root>/qlpacks/codeql/charp-all/<version>)
codeql/csharp-examples (/<extraction-root>/qlpacks/codeql/charp-examples/<version>)
codeql/csharp-queries (/<extraction-root>/qlpacks/codeql/charp-queries/<version>)
codeql/java-all (/<extraction-root>/qlpacks/codeql/java-all/<version>)
codeql/java-examples (/<extraction-root>/qlpacks/codeql/java-examples/<version>)
codeql/java-queries (/<extraction-root>/qlpacks/codeql/java-queries/<version>)
codeql/javascript-all (/<extraction-root>/qlpacks/codeql/javascript-all/<version>)
codeql/javascript-examples (/<extraction-root>/qlpacks/codeql/javascript-examples/<version>)
codeql/javascript-queries (/<extraction-root>/qlpacks/codeql/javascript-queries/<version>)
codeql/python-all (/<extraction-root>/qlpacks/codeql/python-all/<version>)
codeql/python-examples (/<extraction-root>/qlpacks/codeql/python-examples/<version>)
codeql/python-queries (/<extraction-root>/qlpacks/codeql/python-queries/<version>)
codeql/ruby-all (/<extraction-root>/qlpacks/codeql/ruby-all/<version>)
codeql/ruby-examples (/<extraction-root>/qlpacks/codeql/ruby-examples/<version>)
codeql/ruby-queries (/<extraction-root>/qlpacks/codeql/ruby-queries/<version>)
...

You should check that the output contains the expected languages and also that the directory location for the qlpack files is correct. The location should be within the extracted CodeQL CLI bundle, shown above as <extraction root>, unless you are using a checkout of github/codeql. If the CodeQL CLI is unable to locate the qlpacks for the expected languages, check that you downloaded the CodeQL bundle and not a standalone copy of the CodeQL CLI.

Generating a token for authentication with GitHub Enterprise Server

Each CI server needs a GitHub 应用程序 or personal access token for the CodeQL CLI to use to upload results to GitHub Enterprise Server. You must use an access token or a GitHub 应用程序 with the security_events write permission. If CI servers already use a token with this scope to checkout repositories from GitHub Enterprise Server, you could potentially allow the CodeQL CLI to use the same token. Otherwise, you should create a new token with the security_events write permission and add this to the CI system's secret store. For information, see "Building GitHub 应用程序" and "Creating a personal access token."

Next steps

You're now ready to configure the CI system to run CodeQL analysis, generate results, and upload them to GitHub Enterprise Server where the results will be matched to a branch or pull request and displayed as 代� �扫描 alerts. For detailed information, see "Configuring CodeQL CLI in your CI system."