Skip to main content

About CodeQL code scanning in your CI system

You can analyze your code with CodeQL in a third-party continuous integration system and upload the results to GitHub.com. The resulting 代码扫描 alerts are shown alongside any alerts generated within GitHub.

代码扫描 is available for all public repositories on GitHub.com. 代码扫描 is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. 更多信息请参阅“GitHub 的产品”。

About CodeQL 代码扫描 in your CI system

代码扫描 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析发现的任何问题都显示在 GitHub 中。 For information, see "About 代码扫描 with CodeQL."

You can run CodeQL 代码扫描 within GitHub using GitHub Actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to GitHub.com.

将 CodeQL CLI 添加到第三方系统,然后调用工具分析代码并将 SARIF 结果上传到 GitHub。 由此产生的 代码扫描 警报与 GitHub 内生成的任何警报一起显示。 更多信息请参阅“关于 CI 系统中的 CodeQL 代码扫描”。

如果使用多个配置运行代码扫描,则有时警报将具有多个分析源。 如果一个警报有多个分析源,您可以在警报页面上查看每个分析源的警报状态。 更多信息请参阅“关于分析源”。

Note: Uploading SARIF data to display as 代码扫描 results in GitHub is supported for organization-owned repositories with GitHub Advanced Security enabled, and public repositories on GitHub.com. For more information, see "Managing security and analysis settings for your repository."

About the CodeQL CLI

CodeQL CLI 是一个可用来分析代码的独立产品。 其主要用途是生成代码空间的数据库表示形式,即 CodeQL 数据库。 数据库准备就绪后,您可以进行交互式查询,或者运行一系列查询以生成一组 SARIF 格式的结果,然后将结果上传到 GitHub.com。

Use the CodeQL CLI to analyze:

  • Dynamic languages, for example, JavaScript and Python.
  • Compiled languages, for example, C/C++, C# and Java.
  • Codebases written in a mixture of languages.

For more information, see "Installing CodeQL CLI in your CI system."

注意: CodeQL CLI 可在公共存储库上免费使用。 CodeQL CLI 也可用于使用 GitHub Enterprise Cloud 并有 GitHub Advanced Security 许可证的组织拥有的私有存储库。 有关信息请参阅“GitHub CodeQL 条款和条件”和“CodeQL CLI”。