Diese Version von GitHub Enterprise wurde eingestellt am 2021-09-23. Es wird keine Patch-Freigabe vorgenommen, auch nicht für kritische Sicherheitsprobleme. Für eine bessere Leistung, verbesserte Sicherheit und neue Features nimm ein Upgrade auf die neueste Version von GitHub Enterprise vor. Wende Dich an den GitHub Enterprise-Support, um Hilfe beim Upgrade zu erhalten.

About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.

Code scanning is available if you have a license for GitHub Advanced Security.

Note: Code scanning is in beta in GitHub Enterprise Server 2.22. For the generally available release of code scanning, upgrade to the latest release of GitHub Enterprise Server.

Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring code scanning for your appliance."

Informationen zu code scanning

With code scanning, developers can quickly and automatically analyze the code in a GitHub repository to find security vulnerabilities and coding errors.

You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. Nachdem Du den Code korrigiert hast, der die Meldung ausgelöst hat, schließt GitHub die Meldung. For more information, see "Managing code scanning alerts for your repository."

To monitor results from code scanning across your repositories or your organization, you can use webhooks and the code scanning API. For information about the webhooks for code scanning, see "Webhook events and payloads." For information about API endpoints, see "Code scanning."

To get started with code scanning, see "Setting up code scanning for a repository."

Informationen zu CodeQL

Code scanning uses GitHub Actions. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.

QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for code scanning, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.

For more information about API endpoints for code scanning, see "Code scanning."

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Python

You can view and contribute to the queries for code scanning in the github/codeql repository. For more information, see CodeQL queries in the CodeQL documentation.

About third-party code scanning tools

Du kannst SARIF-Dateien von statischen Analysewerkzeugen von Drittanbietern in GitHub hochladen und code scanning-Warnungen von diesen Werkzeugen in Deinem Repository sehen.

Code scanning ist mit Code-Scan-Werkzeugen von Drittanbietern interoperabel, welche SARIF-Daten (Static Analysis Results Interchange Format) ausgeben. SARIF ist ein Open-Source-Standard. Weitere Informationen findest Du unter „SARIF-Ausgabe für code scanning."

Weitere Informationen um loszulegen findest Du unter „Hochladen einer SARIF-Datei nach GitHub."

Weiterführende Informationen