Note: Code scanning is currently in beta and subject to change.
Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub AE. For information, see "About code scanning with CodeQL."
You can run CodeQL code scanning within GitHub AE using GitHub Actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to your enterprise.
Note: Uploading SARIF data to display as code scanning results in GitHub AE is supported for organization-owned repositories with GitHub Advanced Security enabled. For more information, see "Managing security and analysis settings for your repository."
You add the CodeQL runner to your third-party system, then call the tool to analyze code and upload the SARIF results to GitHub AE. The resulting code scanning alerts are shown alongside any alerts generated within GitHub AE.
Note: The CodeQL runner is being deprecated. Please use the CodeQL CLI version 2.6.2 or greater instead. GitHub Enterprise Server 3.3 will be the final release series that supports the CodeQL runner. On GitHub Enterprise Cloud, the CodeQL runner will be supported until March 2022. For more information, see the CodeQL runner deprecation.
To set up code scanning in your CI system, see "Running CodeQL runner in your CI system."