Nota: Escaneo de código se encuentra acutalmente en beta y está sujeto a cambios. If your organization has an Advanced Security license, you can join the beta program.
Escaneo de código is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in Servidor de GitHub Enterprise.
You can configure escaneo de código to run CodeQL analysis and third-party analysis. Escaneo de código also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The table below summarizes all the options available to users when you configure tu instancia de servidor de GitHub Enterprise to allow escaneo de código using actions.
||Options for generating alerts|
|CodeQL||Using GitHub Actions (see "Enabling escaneo de código using actions") or using the CodeQL runner in a third-party continuous integration (CI) system (see "Running code scanning in your CI system").|
|Third‑party||Using GitHub Actions (see "Enabling escaneo de código using actions") or generated externally and uploaded to GitHub Enterprise (see "Uploading a SARIF file to GitHub").|
A license for GitHub Advanced Security
Escaneo de código enabled in the management console (see "Enabling GitHub Advanced Security for your enterprise")
A VM or container for escaneo de código analysis to run in.
Servidor de GitHub Enterprise can run escaneo de código using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."
You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.
To run escaneo de código on Servidor de GitHub Enterprise with GitHub Actions, the appropriate actions must be available locally. You can make the actions available in three ways.
- Recommended: You can use GitHub Connect to automatically download actions from GitHub.com. The machine that hosts your instance must be able to access GitHub.com. This approach ensures that you get the latest software automatically. For more information, see "Configuring GitHub Connect to sync GitHub Actions."
- If you want to use the CodeQL Analysis workflow, you can sync the repository from GitHub.com to Servidor de GitHub Enterprise, by using the CodeQL Action sync tool available at https://github.com/github/codeql-action-sync-tool. You can use this tool regardless of whether tu instancia de servidor de GitHub Enterprise or your GitHub Actions runners have access to the internet, as long as you can access both tu instancia de servidor de GitHub Enterprise and GitHub.com simultaneously on your computer.
- You can create a local copy of an action's repository on your server, by cloning the GitHub.com repository that contains the action. For example, if you want to use the actions for CodeQL escaneo de código, you can create a repository in your instance called
github/codeql-action, then clone the repository from GitHub.com, and then push that repository to your instance's
github/codeql-actionrepository. You will also need to download any of the releases from the repository on GitHub.com and upload them to your instance's
github/codeql-actionrepository as releases.
- If you want to download action workflows on demand from GitHub.com, you need to enable GitHub Connect. For more information, see "Enabling GitHub Connect."
- You'll also need to enable GitHub Actions for tu instancia de servidor de GitHub Enterprise. For more information, see "Getting started with GitHub Actions for Servidor de GitHub Enterprise."
- The next step is to configure access to actions on GitHub.com using GitHub Connect. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."
- Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "Adding self-hosted runners."
If you don't want to use GitHub Actions, you can run escaneo de código using the CodeQL runner.
The CodeQL runner is a command-line tool that you can add to your third-party CI/CD system. The tool runs CodeQL analysis on a checkout of a GitHub repository. For more information, see "Running escaneo de código in your CI system."