About integration with code scanning

You can perform code scanning externally and then display the results in GitHub.

Did this doc help you?

Note: Code scanning is currently in beta and subject to change. If your organization has an Advanced Security license, you can join the beta program.

Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring code scanning for your appliance."

As an alternative to running code scanning within GitHub, you can perform analysis elsewhere and then upload the results. Alerts for code scanning that you run externally are displayed in the same way as those for code scanning that you run within GitHub. For more information, see "Managing code scanning alerts for your repository."

You can use your continuous integration or continuous delivery/deployment (CI/CD) system to run GitHub's CodeQL analysis and upload the results to GitHub. This is an alternative to using GitHub Actions to run CodeQL analysis. For more information, see "Running code scanning in your CI system."

If you use a third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data, you can upload this to GitHub. For more information, see "Uploading a SARIF file to GitHub."

Further reading

Did this doc help you?