Automatically scanning your code for vulnerabilities and errors
You can find vulnerabilities and errors in your project's code on GitHub, as well as view, triage, understand, and resolve the related code scanning alerts.
Code scanning is available for all public repositories on GitHub.com. To use code scanning in a private repository owned by an organization, you must have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."
About code scanning
You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.
About code scanning alerts
Learn about the different types of code scanning alerts and the information that helps you understand the problem each alert highlights.
Triaging code scanning alerts in pull requests
When code scanning identifies a problem in a pull request, you can review the highlighted code and resolve the alert.
Configuring code scanning for a repository
You can configure code scanning for a repository to find security vulnerabilities in your code.
About the tool status page for code scanning
The tool status page shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the tool status page is a good starting point for debugging problems.
Managing code scanning alerts for your repository
From the security view, you can view, fix, or dismiss alerts for potential vulnerabilities or errors in your project's code.
Tracking code scanning alerts in issues using task lists
You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.
Customizing code scanning
You can customize how GitHub scans the code in your project for vulnerabilities and errors.
About code scanning with CodeQL
You can use CodeQL to identify vulnerabilities and errors in your code. The results are shown as code scanning alerts in GitHub.
Recommended hardware resources for running CodeQL
Recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis on self-hosted machines, based on the size of your codebase.
Built-in CodeQL query suites
You can choose from different built-in CodeQL query suites to use in your CodeQL code scanning setup.
Configuring the CodeQL workflow for compiled languages
You can configure how GitHub uses the CodeQL analysis workflow to scan code written in compiled languages for vulnerabilities and errors.
Configuring code scanning at scale using CodeQL
You can configure code scanning for eligible repositories in your organization using default setup for CodeQL or use a script to configure advanced setup for a specific group of repositories.
Troubleshooting your default setup for CodeQL
If you're having problems with the default code scanning setup, you can troubleshoot by using these tips for resolving issues.
Troubleshooting your advanced setup for CodeQL
If you're having problems with advanced setup for code scanning, you can troubleshoot by using these tips for resolving issues.
Running CodeQL code scanning in a container
You can run code scanning in a container by ensuring that all processes run in the same container.
Viewing code scanning logs
You can view the output generated during code scanning analysis in GitHub.com.