Automatically scanning your code for vulnerabilities and errors
You can find vulnerabilities and errors in your project's code on GitHub, as well as view, triage, understand, and resolve the related code scanning alerts.
Code scanning is available for all public repositories on GitHub.com. To use code scanning in a private repository owned by an organization, you must have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."
You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.
Learn about the different types of code scanning alerts and the information that helps you understand the problem each alert highlights.
When code scanning identifies a problem in a pull request, you can review the highlighted code and resolve the alert.
You can set up code scanning by adding a workflow to your repository.
From the security view, you can view, fix, or dismiss alerts for potential vulnerabilities or errors in your project's code.
You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.
You can configure how GitHub scans the code in your project for vulnerabilities and errors.
You can use CodeQL to identify vulnerabilities and errors in your code. The results are shown as code scanning alerts in GitHub.
Recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis on self-hosted machines, based on the size of your codebase.
You can configure how GitHub uses the CodeQL analysis workflow to scan code written in compiled languages for vulnerabilities and errors.
If you're having problems with code scanning, you can troubleshoot by using these tips for resolving issues.
You can run code scanning in a container by ensuring that all processes run in the same container.
You can view the output generated during code scanning analysis in GitHub.com.