我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

About code scanning

You can use 代码扫描 to find security vulnerabilities and errors in the code for your project on GitHub.

代码扫描 is available if you have a license for GitHub Advanced Security.

本文内容

注: 代码扫描 正在测试用于 GitHub Enterprise Server 2.22。 对于代码扫描的一般可用版本,请升级到最新版本的 GitHub Enterprise Server。

注:站点管理员必须为 您的 GitHub Enterprise Server 实例 启用 代码扫描,然后您才可使用此功能。 更多信息请参阅“为设备配置 代码扫描”。

About 代码扫描

代码扫描 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析发现的任何问题都在 GitHub Enterprise Server 中显示。

You can use 代码扫描 to find, triage, and prioritize fixes for existing problems in your code. 代码扫描 also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If 代码扫描 finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing 代码扫描 alerts for your repository."

To monitor results from 代码扫描 across your repositories or your organization, you can use webhooks and the 代码扫描 API. For information about the webhooks for 代码扫描, see "Webhook events and payloads." For information about API endpoints, see "代码扫描."

To get started with 代码扫描, see "Setting up 代码扫描 for a repository."

About CodeQL

You can use 代码扫描 with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.

QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for 代码扫描, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.

代码扫描 with CodeQL supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Python

You can view and contribute to the queries for 代码扫描 in the github/codeql repository. For more information, see CodeQL queries in the CodeQL documentation.

About third-party code scanning tools

您可以将 SARIF 文件从第三方静态分析工具上传到 GitHub,并且在仓库中看到 代码扫描 来自这些工具的警报。

代码扫描 可与输出静态分析结果交换格式 (SARIF) 数据的第三方代码扫描工具互操作。 SARIF 是一个开放的标准。 更多信息请参阅“代码扫描 的 SARIF 输出。”

要开始,请参阅“将 SARIF 文件上传到 GitHub”。

Further reading

此文档对您有帮助吗?

Privacy policy

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或, 了解如何参与。