Note: Code scanning is currently in beta and subject to change. To request access to the beta, join the waitlist.
With code scanning, developers can quickly and automatically analyze the code in a GitHub repository to find security vulnerabilities and coding errors.
You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing alerts from code scanning."
Code scanning supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.
Code scanning uses GitHub Actions. For more information, see "About GitHub Actions."
To get started with code scanning, see "Enabling code scanning."
For more information about API endpoints for code scanning, see "Code scanning."
By default, code scanning uses CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. You can use CodeQL to find all variants of a vulnerability, and remove all the variants from your code.
QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for code scanning, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.
Code scanning uses GitHub Actions, and each run of a code scanning workflow consumes minutes for GitHub Actions. For more information, see "About billing for GitHub Actions."
You can upload SARIF files from third-party static analysis tools to GitHub and see code scanning alerts from those tools in your repository.
Code scanning is interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data. SARIF is an open standard. For more information, see "SARIF output for code scanning."
To get started, see "Uploading a SARIF file to GitHub."
- GitHub Security Lab
- OASIS Static Analysis Results Interchange Format (SARIF) TC on the OASIS Committee website