Skip to main content
Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.

Esta versión de GitHub Enterprise se discontinuó el 2022-06-03. No se realizarán lanzamientos de patch, ni siquiera para problemas de seguridad críticos. Para obtener un mejor desempeño, más seguridad y nuevas características, actualiza a la última versión de GitHub Enterprise. Para obtener ayuda con la actualización, contacta al soporte de GitHub Enterprise.

Configuring code scanning for your appliance

You can enable, configure and disable escaneo de código for tu instancia de GitHub Enterprise Server. Escaneo de código allows users to scan code for vulnerabilities and errors.

El Escaneo de código se encuentra disponible para los repositorios que pertenecen a organizaciones donde se habilitó el GitHub Advanced Security. Para obtener más información, consulta la sección "Acerca de GitHub Advanced Security".

About escaneo de código

Escaneo de código es una característica que utilizas para analizar el código en un repositorio de GitHub para encontrar vulnerabilidades de seguridad y errores de código. Cualquier problema que se identifique con el análisis se muestra en GitHub Enterprise Server.

You can configure escaneo de código to run CodeQL analysis and third-party analysis. Escaneo de código also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The table below summarizes all the options available to users when you configure tu instancia de GitHub Enterprise Server to allow escaneo de código using actions.

Type of analysisOptions for generating alerts
CodeQLUsing GitHub Actions (see "Setting up escaneo de código using actions") or running CodeQL analysis in a third-party continuous integration (CI) system (see "About CodeQL escaneo de código in your CI system").
Third‑partyUsing GitHub Actions (see "Setting up escaneo de código using actions") or generated externally and uploaded to GitHub Enterprise Server (see "Uploading a SARIF file to GitHub").

Checking whether your license includes GitHub Advanced Security

Puedes identificar si tu empresa tiene una licencia de GitHub Advanced Security revisando los ajustes de la misma. Para obtener más información, consulta la sección "Habilitar la Seguridad Avanzada de GitHub para tu empresa".

Prerequisites for escaneo de código

Running escaneo de código using GitHub Actions

Setting up a self-hosted runner

GitHub Enterprise Server can run escaneo de código using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Provisioning the actions for escaneo de código

If you want to use actions to run escaneo de código on GitHub Enterprise Server, the actions must be available on your appliance.

The CodeQL action is included in your installation of GitHub Enterprise Server. If GitHub Enterprise Server has access to the internet, the action will automatically download the CodeQL bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the CodeQL analysis bundle available locally. For more information, see "Configuring CodeQL analysis on a server without internet access" below.

You can also make third-party actions available to users for escaneo de código, by setting up GitHub Connect. For more information, see "Configuring GitHub Connect to sync GitHub Actions" below.

Configuring CodeQL analysis on a server without internet access

If the server on which you are running GitHub Enterprise Server is not connected to the internet, and you want to allow users to enable CodeQL escaneo de código for their repositories, you must use the CodeQL action sync tool to copy the CodeQL analysis bundle from GitHub.com to your server. The tool, and details of how to use it, are available at https://github.com/github/codeql-action-sync-tool.

If you set up the CodeQL action sync tool, you can use it to sync the latest releases of the CodeQL action and associated CodeQL analysis bundle. These are compatible with GitHub Enterprise Server.

Configuring GitHub Connect to sync GitHub Actions

  1. If you want to download action workflows on demand from GitHub.com, you need to enable GitHub Connect. For more information, see "Enabling GitHub Connect."
  2. You'll also need to enable GitHub Actions for tu instancia de GitHub Enterprise Server. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."
  3. The next step is to configure access to actions on GitHub.com using GitHub Connect. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."
  4. Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "Adding self-hosted runners."

Running code scanning using the CodeQL CLI

If you don't want to use GitHub Actions, you should run escaneo de código using the CodeQL CLI.

The CodeQL CLI is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. For more information, see "Installing CodeQL CLI in your CI system."

Running escaneo de código using the Ejecutor de CodeQL

Nota: El Ejecutor de CodeQL se va a obsoletizar. En GitHub Enterprise Server 3.0 y superior, puedes instalar el CodeQL CLI versión 2.6.3 para reemplazar el Ejecutor de CodeQL.

Para obtener más información, consulta la obsoletización del ejecutor de CodeQL. Para obtener más información sobre cómo migrarse al CodeQL CLI, consulta la sección "Migrarse desde el ejecutor de CodeQL al CLI de CodeQL".

If you don't want to use GitHub Actions, you can run escaneo de código using the Ejecutor de CodeQL.

The Ejecutor de CodeQL is a command-line tool that you can add to your third-party CI/CD system. The tool runs CodeQL analysis on a checkout of a GitHub repository. For more information, see "Running escaneo de código in your CI system."