Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.

About code scanning

You can use escaneo de código to find security vulnerabilities and errors in the code for your project on GitHub.

Escaneo de código is available in public repositories, and in private repositories owned by organizations with an Advanced Security license. Para obtener más información, consulta la sección "Productos de GitHub".

En este artículo

¿Te ayudó este documento?

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.

Nota: Escaneo de código se encuentra acutalmente en beta y está sujeto a cambios. To request access to the beta, join the waitlist.

About escaneo de código

Escaneo de código is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub.

You can use escaneo de código to find, triage, and prioritize fixes for existing problems in your code. Escaneo de código also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If escaneo de código finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing escaneo de código alerts for your repository."

To monitor results from escaneo de código across your repositories or your organization, you can use the escaneo de código API. For more information about API endpoints, see "Escaneo de código."

To get started with escaneo de código, see "Enabling escaneo de código for a repository."

About CodeQL

You can use escaneo de código with CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.

QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for escaneo de código, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.

Escaneo de código with CodeQL supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Python

You can view and contribute to the queries for escaneo de código in the github/codeql repository. For more information, see CodeQL queries in the CodeQL documentation.

About billing for escaneo de código

Escaneo de código uses GitHub Actions, and each run of a escaneo de código workflow consumes minutes for GitHub Actions. For more information, see "About billing for GitHub Actions."

About third-party code scanning tools

Puedes cargar archivos SARIF de herramientas de análisis estático de terceros a GitHub y ver las alertas de escaneo de código en tu repositorio.

Escaneo de código es interoperable con herramientas de escaneo de código de terceros que producen datos de Formato de Intercambio de Resultado de Análisis (SARIF). SARIF es un estándar de código abierto. Para obtener más información, consulta la sección "Resultados de SARIF para escaneo de código".

Para comenzar, consulta la sección "Subir un archivo SARIF a GitHub".

Further reading

¿Te ayudó este documento?

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.