About code scanning

You can use escaneo de código to find security vulnerabilities and errors in the code for your project on GitHub.

Escaneo de código is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

Nota: Escaneo de código se encuentra acutalmente en beta y está sujeto a cambios. To request access to the beta, join the waitlist.

About escaneo de código

Escaneo de código is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

You can use escaneo de código to find, triage, and prioritize fixes for existing problems in your code. Escaneo de código also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If escaneo de código finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing escaneo de código alerts for your repository."

To monitor results from escaneo de código across your repositories or your organization, you can use webhooks and the escaneo de código API. For information about the webhooks for escaneo de código, see "Webhook events and payloads." For information about API endpoints, see "Escaneo de código."

To get started with escaneo de código, see "Setting up escaneo de código for a repository."

About billing for escaneo de código

Escaneo de código uses GitHub Actions, and each run of a escaneo de código workflow consumes minutes for GitHub Actions. For more information, see "About billing for GitHub Actions."

About tools for escaneo de código

You can set up escaneo de código to use the CodeQL product maintained by GitHub or a third-party escaneo de código tool.

About CodeQL analysis

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as escaneo de código alerts. For more information about CodeQL, see "About code scanning with CodeQL."

About third-party escaneo de código tools

Escaneo de código es interoperable con herramientas de escaneo de código de terceros que producen datos de Formato de Intercambio de Resultado de Análisis (SARIF). SARIF es un estándar de código abierto. Para obtener más información, consulta la sección "Resultados de SARIF para escaneo de código".

You can run third-party analysis tools within GitHub using actions or within an external CI system. For more information, see "Setting up code scanning for a repository" or "Uploading a SARIF file to GitHub."

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.