Configuring code scanning for your appliance

You can enable, configure, and disable code scanning for your enterprise. Code scanning allows users to scan code for vulnerabilities and errors.

Wer kann dieses Feature verwenden?

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Team, GitHub Enterprise Cloud, or GitHub Enterprise Server, with GitHub Advanced Security enabled.

In diesem Artikel

About code scanning

Code scanning ist ein Feature, das du zum Analysieren des Codes in einem GitHub-Repository verwendest, um Sicherheitsrisiken und Codefehler zu finden. Alle von der Analyse ermittelten Probleme werden im Repository angezeigt.

You can configure code scanning to run CodeQL analysis and third-party analysis. Code scanning also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The bullets below summarize the options available to users when you configure deine GitHub Enterprise Server-Instanz to allow code scanning using actions.

Checking whether your license includes Advanced Security

Du kannst ermitteln, ob dein Unternehmen über eine Lizenz für Advanced Security verfügt, indem du die Einstellungen für dein Unternehmen überprüfst. Weitere Informationen finden Sie unter Enabling GitHub Advanced Security for your enterprise.

Prerequisites for code scanning

Running code scanning using GitHub Actions

Provisioning a self-hosted runner

GitHub can run code scanning using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. See Selbstgehosteten Runnern and Selbst-gehostete Runner hinzufügen.

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Hinweis

If you use CodeQL code scanning to analyze code written in Python in your enterprise, you must make sure that your self-hosted runner has Python 3 installed.

Provisioning a runner scale set

You can use Actions Runner Controller to create a dedicated runner scale set for your GitHub Enterprise Server instance. See Bereitstellen von Runner-Skalierungsgruppen mit Actions Runner Controller.

Provisioning the actions for code scanning

If you want to use actions to run code scanning on GitHub Enterprise Server, the actions must be available on your appliance.

The CodeQL action is included in your installation of GitHub Enterprise Server. If both GitHub Enterprise Server 3.16 and your GitHub Actions runner have access to the internet, the action will automatically download the CodeQL 2.20.3 bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the latest released version of the CodeQL analysis bundle available locally. See Configuring CodeQL analysis on a server without internet access below.

You can also make third-party actions available to users for code scanning, by setting up GitHub Connect. See Configuring code scanning for your appliance below.

Configuring CodeQL analysis on a server without internet access

If the server on which you are running GitHub Enterprise Server is not connected to the internet, and you want to allow users to enable CodeQL code scanning for their repositories, you must use the CodeQL action sync tool to copy the CodeQL analysis bundle from GitHub.com to your server. The tool, and details of how to use it, are available at https://github.com/github/codeql-action-sync-tool.

If you configure the CodeQL action sync tool, you can use it to sync the latest releases of the CodeQL action and associated CodeQL analysis bundle. These are compatible with GitHub Enterprise Server.

Configuring GitHub Connect to sync GitHub Actions

  1. If you want to download action workflows on demand from GitHub.com, you need to enable GitHub Connect. See Aktivieren von GitHub Connect für GitHub.com.
  2. You'll also need to enable GitHub Actions. See Erste Schritte mit GitHub Actions für GitHub Enterprise Server.
  3. The next step is to configure access to actions on GitHub.com using GitHub Connect. See Aktivieren des automatischen Zugriffs auf GitHub.com-Aktionen mit GitHub Connect.
  4. Add a self-hosted runner to your repository, organization, or enterprise account. See Selbst-gehostete Runner hinzufügen.

Running code scanning using the CodeQL CLI

If you don't want to use GitHub Actions, you should run code scanning using the CodeQL CLI.

The CodeQL CLI is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. See Verwenden der Codeüberprüfung mit deinem vorhandenen CI-System.