Skip to main content

This version of GitHub Enterprise will be discontinued on 2022-06-03. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

About CodeQL code scanning in your CI system

You can analyze your code with CodeQL in a third-party continuous integration system and upload the results to your GitHub Enterprise Server instance. The resulting code scanning alerts are shown alongside any alerts generated within GitHub Enterprise Server.

Code scanning is available for organization-owned repositories where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

Note: Your site administrator must enable code scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring code scanning for your appliance."

About CodeQL code scanning in your CI system

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub Enterprise Server. For information, see "About code scanning with CodeQL."

You can run CodeQL code scanning within GitHub Enterprise Server using GitHub Actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to your GitHub Enterprise Server instance.

You add the CodeQL CLI or the CodeQL runner to your third-party system, then call the tool to analyze code and upload the SARIF results to GitHub Enterprise Server. The resulting code scanning alerts are shown alongside any alerts generated within GitHub Enterprise Server.

CodeQL CLI version 2.6.3 is available now for GitHub Enterprise Server 3.0 and later versions. For more information on migrating to the CodeQL CLI, see "Migrating from the CodeQL runner to CodeQL CLI."

Note: Uploading SARIF data to display as code scanning results in GitHub Enterprise Server is supported for organization-owned repositories with GitHub Advanced Security enabled. For more information, see "Managing security and analysis settings for your repository."

Comparing CodeQL CLI and CodeQL runner

The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to your GitHub Enterprise Server instance.

The CodeQL runner is a deprecated command-line tool that uses the CodeQL CLI to analyze code and upload the results to GitHub Enterprise Server. The tool mimics the analysis run natively within GitHub Enterprise Server using actions.

CodeQL CLI 2.6.3 is a complete replacement for the runner with full feature parity. Generally, it is better to use the CodeQL CLI directly.

For more information, see "Installing CodeQL CLI in your CI system."

Note: The CodeQL runner is being deprecated. On GitHub Enterprise Server 3.0 and greater, you can install CodeQL CLI version 2.6.3 to replace CodeQL runner.

For more information, see the CodeQL runner deprecation. For information on migrating to CodeQL CLI, see "Migrating from the CodeQL runner to CodeQL CLI."

For more information about the CodeQL runner, see "Running CodeQL runner in your CI system."