Using code scanning with your existing CI system

Dans cet article

You can analyze your code with the CodeQL CLI or another tool in a third-party continuous integration system and upload the results to GitHub.com. The resulting code scanning alerts are shown alongside any alerts generated within GitHub.

Code scanning est disponible pour tous les dépôts publics sur GitHub.com. Code scanning est également disponible pour des dépôts privés appartenant à des organisations qui utilisent GitHub Enterprise Cloud et ont une licence pour GitHub Advanced Security. Pour plus d’informations, consultez « À propos de GitHub Advanced Security ».

About using code scanning with your existing CI system

As an alternative to running code scanning within GitHub using GitHub Actions, you can analyze code in an external continuous integration or continuous delivery/deployment (CI/CD) system, then upload the results to GitHub.

You can add the CodeQL CLI to your third-party system, or use another third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data. For more information about the supported SARIF format, see "Prise en charge de SARIF pour l’analyse du code."

The CodeQL CLI is a standalone, command-line tool that you can use to analyze code. For more information, see "À propos de CodeQL CLI."

Alerts for code scanning that you generate externally are displayed in the same way as those for code scanning that you generate within GitHub. Si vous exécutez l’analyse du code à l’aide de plusieurs configurations, la même alerte est parfois générée par plusieurs configurations. Si une alerte provient de plusieurs configurations, vous pouvez afficher l’état de l’alerte pour chaque configuration sur la page des alertes. Pour plus d’informations, consultez « À propos des alertes d’analyse du code ».

Remarque : le chargement de données SARIF à afficher comme résultats code scanning dans GitHub est pris en charge pour des dépôts appartenant à l’organisation avec GitHub Advanced Security activé, ainsi que des dépôts publics sur GitHub.com. Pour plus d’informations, consultez « Gestion des paramètres de sécurité et d’analyse pour votre dépôt ».

Setting up your analysis tool

You will first need to download your analysis tool of choice and set it up with your CI system.

If you are using the CodeQL CLI, you need to make the full contents of the CodeQL CLI bundle available to every CI server that you want to run CodeQL code scanning analysis on. For more information, see "Configuration de CodeQL CLI."

Once you've made your analysis tool available to servers in your CI system, you're ready to generate data.

Analyzing code

To analyze code with the CodeQL CLI or another analysis tool, you will want to check out the code you want to analyze and set up the codebase environment, making sure that any dependencies are available. You may also want to find the build command for the codebase, typically available in your CI system's configuration file.

You can then complete the steps to analyze your codebase and produce results, which will differ based on the static analysis tool you are using.

If you are using the CodeQL CLI, you will first need to create a CodeQL database from your code, then analyze the database to produce SARIF results. For more information, see "Préparation de votre code pour l’analyse CodeQL" and "Analyse de votre code avec des requêtes CodeQL."

Generating a token for authentication with GitHub

Each CI server needs a GitHub App or personal access token to use to upload results to GitHub, whether you are using the CodeQL CLI, the REST API, or another method. You must use an access token or a GitHub App with the security_events write permission. If CI servers already use a token with this scope to checkout repositories from GitHub, you could potentially use the same token. Otherwise, you should create a new token with the security_events write permission and add this to the CI system's secret store. For information, see "Création d’applications GitHub" and "Gestion de vos jetons d’accès personnels."

For more information on the different methods for uploading results to GitHub, see "Chargement d’un fichier SARIF sur GitHub."

Uploading your results to GitHub

Once you have analyzed your code, produced SARIF results, and ensured you can authenticate with GitHub, you can upload the results to GitHub. For more information on the different methods you can use to upload your results, see "Chargement d’un fichier SARIF sur GitHub."

For specific details on uploading your results to GitHub using the CodeQL CLI, see "Chargement des résultats d’analyse de CodeQL sur GitHub."

By default, code scanning expects one SARIF results file per analysis for a repository. Consequently, when you upload a second SARIF results file for a commit, it is treated as a replacement for the original set of data. You may want to upload two different SARIF files for one analysis if, for example, your analysis tool generates a different SARIF file for each language it analyzes or each set of rules it uses. If you want to upload more than one set of results for a commit in a repository, you must identify each set of results as a unique set. The way to specify a category for a SARIF upload varies according to the analysis method. For more information, see "Prise en charge de SARIF pour l’analyse du code."