Skip to main content

About CodeQL code scanning in your CI system

You can analyze your code with CodeQL in a third-party continuous integration system and upload the results to GitHub.com. The resulting code scanning alerts are shown alongside any alerts generated within GitHub.

Code scanning 可用于 GitHub.com 上的所有公共存储库。 Code scanning 也可用于使用 GitHub Enterprise Cloud 并拥有 GitHub Advanced Security 许可证的组织所拥有的专用存储库。 有关详细信息,请参阅“关于 GitHub Advanced Security”。

About CodeQL code scanning in your CI system

Code scanning 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析发现的任何问题都显示在 GitHub 中。 For information, see "About code scanning with CodeQL."

You can run CodeQL code scanning within GitHub using GitHub Actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to GitHub.com.

将 CodeQL CLI 添加到第三方系统,然后调用工具分析代码并将 SARIF 结果上传到 GitHub。 由此产生的 code scanning 警报与 GitHub 内生成的任何警报一起显示。 有关详细信息,请参阅“关于 CI 系统中的 CodeQL 代码扫描”。

如果使用多个配置运行代码扫描,则有时警报会有多个分析源。 如果警报有多个分析源,你可在警报页上查看每个分析源的警报状态。 有关详细信息,请参阅“关于分析源”。

注意:上传 SARIF 数据以显示为 GitHub 中的 code scanning 结果适用于启用了 GitHub Advanced Security 的组织拥有的数据库 和 GitHub.com 上的公共存储库。 有关详细信息,请参阅“管理存储库库的安全和分析设置”。

About the CodeQL CLI

The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.com.

Use the CodeQL CLI to analyze:

  • Dynamic languages, for example, JavaScript and Python.
  • Compiled languages, for example, C/C++, C#, Go, and Java.
  • Codebases written in a mixture of languages.

For more information, see "Installing CodeQL CLI in your CI system."

Notes:

  • The CodeQL CLI is free to use on public repositories. The CodeQL CLI is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For information, see "GitHub CodeQL Terms and Conditions" and "CodeQL CLI."
  • CodeQL CLI 当前与非 glibc Linux 发行版不兼容,例如(基于 musl 的)Alpine Linux。