Skip to main content

Configuring code scanning for your appliance

You can enable, configure and disable 代码扫描 for 您的 GitHub Enterprise Server 实例. 代码扫描 allows users to scan code for vulnerabilities and errors.

代码扫描 可用于 GitHub Enterprise Server 中的组织拥有的存储库。 此功能需要 GitHub Advanced Security 的许可证。 更多信息请参阅“GitHub 的产品”。

About 代码扫描

代码扫描 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析发现的任何问题都显示在 GitHub Enterprise Server 中。

You can configure 代码扫描 to run CodeQL analysis and third-party analysis. 代码扫描 also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The table below summarizes all the options available to users when you configure 您的 GitHub Enterprise Server 实例 to allow 代码扫描 using actions.

分析类型 用于生成警报的选项
CodeQL 使用 GitHub Actions(请参阅“使用操作设置 代码扫描 ”)或在第三方持续集成 (CI) 系统中运行 CodeQL 分析(请参阅“关于 CI 系统中的 CodeQL 代码扫描”)。
第三方 使用 GitHub Actions (请参阅“使用操作设置 代码扫描”)或在外部生成并上传到 GitHub Enterprise Server (请参阅“将 SARIF 文件上传到 GitHub”)。

Checking whether your license includes GitHub Advanced Security

您可以通过查看企业设置来确定您的企业是否具有 GitHub Advanced Security 许可证。 更多信息请参阅“为企业启用 GitHub Advanced Security”。

Prerequisites for 代码扫描

Running 代码扫描 using GitHub Actions

Setting up a self-hosted runner

GitHub Enterprise Server can run 代码扫描 using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Provisioning the actions for 代码扫描

If you want to use actions to run 代码扫描 on GitHub Enterprise Server, the actions must be available on your appliance.

The CodeQL action is included in your installation of GitHub Enterprise Server. If GitHub Enterprise Server 3.5 has access to the internet, the action will automatically download the CodeQL 2.8.5 bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the latest released version of the CodeQL analysis bundle available locally. For more information, see "Configuring CodeQL analysis on a server without internet access" below.

You can also make third-party actions available to users for 代码扫描, by setting up GitHub Connect. For more information, see "Configuring GitHub Connect to sync GitHub Actions" below.

Configuring CodeQL analysis on a server without internet access

If the server on which you are running GitHub Enterprise Server is not connected to the internet, and you want to allow users to enable CodeQL 代码扫描 for their repositories, you must use the CodeQL action sync tool to copy the CodeQL analysis bundle from to your server. The tool, and details of how to use it, are available at

If you set up the CodeQL action sync tool, you can use it to sync the latest releases of the CodeQL action and associated CodeQL analysis bundle. These are compatible with GitHub Enterprise Server.

Configuring GitHub Connect to sync GitHub Actions

  1. If you want to download action workflows on demand from, you need to enable GitHub Connect. For more information, see "Enabling GitHub Connect."
  2. You'll also need to enable GitHub Actions for 您的 GitHub Enterprise Server 实例. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."
  3. The next step is to configure access to actions on using GitHub Connect. For more information, see "Enabling automatic access to actions using GitHub Connect."
  4. Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "Adding self-hosted runners."

Running code scanning using the CodeQL CLI

If you don't want to use GitHub Actions, you should run 代码扫描 using the CodeQL CLI.

The CodeQL CLI is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. For more information, see "Installing CodeQL CLI in your CI system."