Esta versión de GitHub Enterprise se discontinuó el 2021-09-23. No se realizarán lanzamientos de patch, ni siquiera para problemas de seguridad críticos. Para obtener un mejor desempeño, más seguridad y nuevas características, actualiza a la última versión de GitHub Enterprise. Para obtener ayuda con la actualización, contacta al soporte de GitHub Enterprise.

Triaging code scanning alerts in pull requests

When escaneo de código identifies a problem in a pull request, you can review the highlighted code and resolve the alert.

If you have read permission for a repository, you can see annotations on pull requests. With write permission, you can see detailed information and resolve escaneo de código alerts for that repository.

Escaneo de código is available if you have a license for GitHub Advanced Security.

Nota: Escaneo de código se encuentra acutalmente en beta y está sujeto a cambios. If your organization has an Advanced Security license, you can join the beta program.

About escaneo de código results on pull requests

In repositories where escaneo de código is configured as a pull request check, escaneo de código checks the code in the pull request. By default, this is limited to pull requests that target the default branch, but you can change this configuration within GitHub Actions or in a third-party CI/CD system. If merging the changes would introduce new escaneo de código alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the Files changed tab of the pull request. If you have write permission for the repository, you can see any existing escaneo de código alerts on the Security tab. For information about repository alerts, see "Managing escaneo de código alerts for your repository."

If escaneo de código has any results with a severity of error, the check fails and the error is reported in the check results. If all the results found by escaneo de código have lower severities, the alerts are treated as warnings or notices and the check succeeds. If your pull request targets a protected branch that uses escaneo de código, and the repository owner has configured required status checks, then you must either fix or close all error alerts before the pull request can be merged. For more information, see "About protected branches."

Failed escaneo de código check on a pull request

About escaneo de código as a pull request check

There are many options for configuring escaneo de código as a pull request check, so the exact setup of each repository will vary and some will have more than one check. The check that contains the results of escaneo de código is: Code scanning results.

If the repository uses the CodeQL Analysis workflow a CodeQL / Analyze (LANGUAGE) check is run for each language before the results check runs. The analysis check may fail if there are configuration problems, or if the pull request breaks the build for a language that the analysis needs to compile (for example, C/C++, C#, or Java). As with other pull request checks, you can see full details of the check failure on the Checks tab. For more information about configuring and troubleshooting, see "Configuring escaneo de código" or "Troubleshooting the CodeQL workflow."

Triaging an alert on your pull request

When you look at the Files changed tab for a pull request, you see annotations for any lines of code that triggered the alert.

Alert annotation within a pull request diff

If you have write permission for the repository, some annotations contain links with extra context for the alert. In the example above, from CodeQL analysis, you can click user-provided value to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can also view the full path from the source to the code that uses the data (the sink) by clicking Show paths. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using CodeQL, see "About data flow analysis."

To see more information about an alert, users with write permission can click the Show more details link shown in the annotation. This allows you to see all of the context and metadata provided by the tool in an alert view. In the example below, you can see tags showing the severity, type, and relevant common weakness enumerations (CWEs) for the problem. The view also shows which commit introduced the problem.

In the detailed view for an alert, some escaneo de código tools, like CodeQL analysis, also include a description of the problem and a Show more link for guidance on how to fix your code.

Alert description and link to show more information

Resolving an alert on your pull request

Anyone with push access to a pull request can fix a escaneo de código alert that's identified on that pull request. If you commit changes to the pull request this triggers a new run of the pull request checks. If your changes fix the problem, the alert is closed and the annotation removed.

If you don't think that an alert needs to be fixed, users with write permission can close the alert manually. For example, an error in code that's used only for testing, or when the effort of fixing the error is greater than the potential benefit of improving the code. The Close button is available in annotations and in the alerts view if you have write permission for the repository.

If you close a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis. For more information about CodeQL, see "Contributing to CodeQL."