Skip to main content
我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们
Enterprise Server 3.0
简体中文
� 
Enterprise administrators
Enterprise Server 3.0
简体中文

� 

此版本的 GitHub Enterprise 已停止服务 2022-02-16. 即使针对重大安全问题,也不会发布补丁。 要获得更好的性能、改进的安全性和新功能,请升级到 GitHub Enterprise 的最新版本。 如需升级方面的帮助,请联系 GitHub Enterprise 支持

Configuring code scanning for your appliance

本文内容

You can enable, configure and disable 代� �扫描 for your GitHub Enterprise Server instance. 代� �扫描 allows users to scan code for vulnerabilities and errors.

代� �扫描 在您拥有 GitHub Advanced Security 的许可证时可用。 更多信息请参阅“关于 GitHub Advanced Security”。

About 代� �扫描

代� �扫描 是一项功能,可用于分析 GitHub 仓库中的代� �,以查找安全漏洞和编� �错误。 分析发现的任何问题都显示在 GitHub Enterprise Server 中。

You can configure 代� �扫描 to run CodeQL analysis and third-party analysis. 代� �扫描 also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The table below summarizes all the options available to users when you configure your GitHub Enterprise Server instance to allow 代� �扫描 using actions.

分析类型 用于生成警报的选项
CodeQL Using GitHub Actions (see "Setting up 代� �扫描 using actions") or running CodeQL analysis in a third-party continuous integration (CI) system (see "About CodeQL 代� �扫描 in your CI system").
第三方 Using GitHub Actions (see "Setting up 代� �扫描 using actions") or generated externally and uploaded to GitHub Enterprise Server (see "Uploading a SARIF file to GitHub").

Checking whether your license includes GitHub Advanced Security

You can identify if your enterprise has a GitHub Advanced Security license by reviewing the 管理控制台. For more information, see "Enabling GitHub Advanced Security for your enterprise."

Prerequisites for 代� �扫描

Running 代� �扫描 using GitHub Actions

Setting up a self-hosted runner

GitHub Enterprise Server can run 代� �扫描 using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Provisioning the actions for 代� �扫描

If you want to use actions to run 代� �扫描 on GitHub Enterprise Server, the actions must be available on your appliance.

The CodeQL action is included in your installation of GitHub Enterprise Server. If GitHub Enterprise Server has access to the internet, the action will automatically download the CodeQL bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the CodeQL analysis bundle available locally. For more information, see "Configuring CodeQL analysis on a server without internet access" below.

You can also make third-party actions available to users for 代� �扫描, by setting up GitHub Connect. For more information, see "Configuring GitHub Connect to sync GitHub Actions" below.

Configuring CodeQL analysis on a server without internet access

If the server on which you are running GitHub Enterprise Server is not connected to the internet, and you want to allow users to enable CodeQL 代� �扫描 for their repositories, you must use the CodeQL action sync tool to copy the CodeQL analysis bundle from GitHub.com to your server. The tool, and details of how to use it, are available at https://github.com/github/codeql-action-sync-tool.

If you set up the CodeQL action sync tool, you can use it to sync the latest releases of the CodeQL action and associated CodeQL analysis bundle. These are compatible with GitHub Enterprise Server.

Configuring GitHub Connect to sync GitHub Actions

  1. If you want to download action workflows on demand from GitHub.com, you need to enable GitHub Connect. For more information, see "Enabling GitHub Connect."
  2. You'll also need to enable GitHub Actions for your GitHub Enterprise Server instance. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."
  3. The next step is to configure access to actions on GitHub.com using GitHub Connect. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."
  4. Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "Adding self-hosted runners."

Running code scanning using the CodeQL CLI

If you don't want to use GitHub Actions, you should run 代� �扫描 using the CodeQL CLI.

The CodeQL CLI is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. For more information, see "Installing CodeQL CLI in your CI system."

Running 代� �扫描 using the CodeQL runner

Note: The CodeQL runner is being deprecated. On GitHub Enterprise Server 3.0 and greater, you can install CodeQL CLI version 2.6.3 to replace CodeQL runner.

For more information, see the CodeQL runner deprecation. For information on migrating to CodeQL CLI, see "Migrating from the CodeQL runner to CodeQL CLI."

If you don't want to use GitHub Actions, you can run 代� �扫描 using the CodeQL runner.

The CodeQL runner is a command-line tool that you can add to your third-party CI/CD system. The tool runs CodeQL analysis on a checkout of a GitHub repository. For more information, see "Running 代� �扫描 in your CI system."