About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.

In this article

Did this doc help you?

Note: Code scanning is currently in beta and subject to change. If your organization has an Advanced Security license, you can join the beta program.

Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring code scanning for your appliance."

About code scanning

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub Enterprise Server.

You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing code scanning alerts for your repository."

To monitor results from code scanning across your repositories or your organization, you can use the code scanning API. For more information about API endpoints, see "Code scanning."

To get started with code scanning, see "Enabling code scanning for a repository."

About CodeQL

You can use code scanning with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.

QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for code scanning, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.

Code scanning with CodeQL supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Python

You can view and contribute to the queries for code scanning in the github/codeql repository. For more information, see CodeQL queries in the CodeQL documentation.

About third-party code scanning tools

You can upload SARIF files generated outside GitHub and see code scanning alerts from third-party tools in your repository.

Code scanning is interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data. SARIF is an open standard. For more information, see "SARIF output for code scanning."

To get started, see "Uploading a SARIF file to GitHub."

Further reading

Did this doc help you?