Skip to main content

Configuring self-hosted runners for code scanning in your enterprise

You can enable, configure, and disable code scanning for GitHub Enterprise Cloud without GitHub-hosted runners. Code scanning allows users to scan code for vulnerabilities and errors.

Who can use this feature?

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Enterprise Cloud with GitHub Advanced Security enabled

Provisioning a self-hosted runner

Note

GitHub Enterprise Cloud can run code scanning using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. See "About self-hosted runners" and "Adding self-hosted runners."

If you are provisioning a self-hosted runner for CodeQL analysis, your runner must use a CodeQL-supported operating system version and CPU architecture. See the CodeQL system requirements.

If you are using default setup for code scanning, you can assign self-hosted runners with the default code-scanning label, or you can optionally give them custom labels so that individual repositories can use different runners. See "Configuring default setup for code scanning."

For information about using default setup for code scanning analysis of compiled languages, see "CodeQL code scanning for compiled languages."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Note

If you use CodeQL code scanning to analyze code written in Python in your enterprise, you must make sure that your self-hosted runner has Python 3 installed.