Skip to main content

About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.

Who can use this feature?

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Enterprise Cloud with GitHub Advanced Security enabled

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.

You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see Resolving code scanning alerts.

GitHub Copilot Autofix will suggest fixes for alerts from code scanning analysis in private repositories, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see Responsible use of Copilot Autofix for code scanning.

To monitor results from code scanning across your repositories or your organization, you can use webhooks and the code scanning API. For information about the webhooks for code scanning, see Webhook events and payloads. For information about API endpoints, see REST API endpoints for code scanning.

To get started with code scanning, see Configuring default setup for code scanning.

About billing for code scanning

Code scanning uses GitHub Actions, and each run of a code scanning workflow consumes minutes for GitHub Actions. For more information, see About billing for GitHub Actions.

To use code scanning on a private repository, you will also need a license for GitHub Advanced Security. For information about how you can try GitHub Advanced Security for free, see "Setting up a trial of GitHub Advanced Security."

About tools for code scanning

You can configure code scanning to use the CodeQL product maintained by GitHub or a third-party code scanning tool.

About CodeQL analysis

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts. For more information about CodeQL, see About code scanning with CodeQL.

About third-party code scanning tools

Code scanning is interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data. SARIF is an open standard. For more information, see "SARIF support for code scanning."

You can run third-party analysis tools within GitHub Enterprise Cloud using actions or within an external CI system. For more information, see Configuring advanced setup for code scanning or Uploading a SARIF file to GitHub.

About the tool status page

The tool status page shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the tool status page is a good starting point for debugging problems. For more information, see About the tool status page for code scanning.