Skip to main content

Configuring self-hosted runners for code scanning in your enterprise

You can enable, configure, and disable code scanning for GitHub Enterprise Cloud without GitHub-hosted runners. Code scanning allows users to scan code for vulnerabilities and errors.

Who can use this feature?

Code scanning is available for all public repositories on To use code scanning in a private repository owned by an organization, you must have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

Provisioning a self-hosted runner


GitHub Enterprise Cloud can run code scanning using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."

If you are provisioning a self-hosted runner for CodeQL analysis, your runner must use a CodeQL-supported operating system version and CPU architecture. For more information, see the CodeQL system requirements.

If you are using default setup for code scanning, assign the code-scanning label to your self-hosted runner. For more information about using labels with self-hosted runners, see "Using labels with self-hosted runners." For more information about using default setup for code scanning analysis of compiled languages, see "CodeQL code scanning for compiled languages."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Note: If you use CodeQL code scanning to analyze code written in Python in your enterprise, you must make sure that your self-hosted runner has Python 3 installed.