我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

Triaging code scanning alerts in pull requests

When 代码扫描 identifies a problem in a pull request, you can review the highlighted code and resolve the alert.

If you have read permission for a repository, you can see annotations on pull requests. With write permission, you can see detailed information and resolve 代码扫描 alerts for that repository.

代码扫描 可用于公共仓库,以及具有 Advanced Security 许可的组织拥有的私有仓库。 更多信息请参阅“GitHub 的产品”。

本文内容

About 代码扫描 results on pull requests

In repositories where 代码扫描 is configured as a pull request check, 代码扫描 checks the code in the pull request. By default, this is limited to pull requests that target the default branch, but you can change this configuration within GitHub Actions or in a third-party CI/CD system. If merging the changes would introduce new 代码扫描 alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the Files changed tab of the pull request. If you have write permission for the repository, you can see any existing 代码扫描 alerts on the Security tab. For information about repository alerts, see "Managing 代码扫描 alerts for your repository."

If 代码扫描 has any results with a severity of error, the check fails and the error is reported in the check results. If all the results found by 代码扫描 have lower severities, the alerts are treated as warnings or notices and the check succeeds. If your pull request targets a protected branch that has been enabled for 代码扫描, and the repository owner has configured required status checks, then you must either fix or dismiss all error alerts before the pull request can be merged. 更多信息请参阅“关于必要的状态检查”。

Failed 代码扫描 check on a pull request

About 代码扫描 as a pull request check

There are many options for configuring 代码扫描 as a pull request check, so the exact setup of each repository will vary and some will have more than one check. The check that contains the results of 代码扫描 is: Code scanning results.

If the repository uses the CodeQL 分析工作流程 a CodeQL / Analyze (LANGUAGE) check is run for each language before the results check runs. The analysis check may fail if there are configuration problems, or if the pull request breaks the build for a language that the analysis needs to compile (for example, C/C++, C#, or Java). As with other pull request checks, you can see full details of the check failure on the Checks tab. For more information about configuring and troubleshooting, see "Configuring 代码扫描" or "Troubleshooting 代码扫描."

Triaging an alert on your pull request

When you look at the Files changed tab for a pull request, you see annotations for any lines of code that triggered the alert.

Alert annotation within a pull request diff

If you have write permission for the repository, some annotations contain links with extra context for the alert. In the example above, from CodeQL analysis, you can click user-provided value to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can also view the full path from the source to the code that uses the data (the sink) by clicking Show paths. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using CodeQL, see "About data flow analysis."

To see more information about an alert, users with write permission can click the Show more details link shown in the annotation. This allows you to see all of the context and metadata provided by the tool in an alert view. In the example below, you can see tags showing the severity, type, and relevant common weakness enumerations (CWEs) for the problem. The view also shows which commit introduced the problem.

In the detailed view for an alert, some 代码扫描 tools, like CodeQL analysis, also include a description of the problem and a Show more link for guidance on how to fix your code.

Alert description and link to show more information

Fixing an alert on your pull request

Anyone with push access to a pull request can fix a 代码扫描 alert that's identified on that pull request. If you commit changes to the pull request this triggers a new run of the pull request checks. If your changes fix the problem, the alert is closed and the annotation removed.

Dismissing an alert on your pull request

An alternative way of closing an alert is to dismiss it. You can dismiss an alert if you don't think it needs to be fixed. 例如,仅用于测试的代码中有错误,或者修复错误的工作超过改进代码的潜在益处。 If you have write permission for the repository, the Dismiss button is available in code annotations and in the alerts summary. When you click Dismiss you will be prompted to choose a reason for closing the alert.

Choosing a reason for dismissing an alert

从下拉菜单中选择合适的原因很重要,因为这可能会影响到是否继续将查询纳入未来的分析。

如果将 CodeQL 警报作为误报予以忽略,例如,因为代码使用不受支持的净化库,则考虑参与 CodeQL 仓库并改进分析。 有关 CodeQL 的更多信息,请参阅“参与 CodeQL”。

For more information about dismissing alerts, see "Managing 代码扫描 alerts for your repository."

此文档对您有帮助吗?

Privacy policy

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或, 了解如何参与。