Skip to main content
ドキュメントには� �繁に更新が� えられ、その都度公開されています。本ページの翻訳はま� 未完成な部分があることをご了承く� さい。最新の情� �については、英語のドキュメンテーションをご参照く� さい。本ページの翻訳に問題がある� �合はこちらまでご連絡く� さい。

このバージョンの GitHub Enterprise はこの日付をもって終了となりました: 2022-06-03. 重大なセキュリティの問題に対してであっても、パッチリリースは作成されません。 パフォーマンスの向上、セキュリティの改善、新機能のためには、最新バージョンのGitHub Enterpriseにアップグレードしてく� さい。 アップグレードに関する支援については、GitHub Enterprise supportに連絡してく� さい。

Configuring code scanning for your appliance

You can enable, configure and disable code scanning for GitHub Enterprise Serverインスタンス. Code scanning allows users to scan code for vulnerabilities and errors.

Code scanning is available for organization-owned repositories where GitHub Advanced Security is enabled. 詳しい情� �については、「GitHub Advanced Security について」を参照してく� さい。

About code scanning

Code scanning は、開発者が GitHub リポジトリ内のコードを分析して、セキュリティの脆弱性とコーディングエラーを見つけることができる機能です。 分析によって特定されたすべての問題はGitHub Enterprise Serverに表示されます。

You can configure code scanning to run CodeQL analysis and third-party analysis. Code scanning also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The table below summarizes all the options available to users when you configure GitHub Enterprise Serverインスタンス to allow code scanning using actions.

分析の種類 アラート生成のオプション
CodeQL Using GitHub Actions (see "Setting up code scanning using actions") or running CodeQL analysis in a third-party continuous integration (CI) system (see "About CodeQL code scanning in your CI system").
サードパーティ Using GitHub Actions (see "Setting up code scanning using actions") or generated externally and uploaded to GitHub Enterprise Server (see "Uploading a SARIF file to GitHub").

Checking whether your license includes GitHub Advanced Security

You can identify if your enterprise has a GitHub Advanced Security license by reviewing your enterprise settings. For more information, see "Enabling GitHub Advanced Security for your enterprise."

Prerequisites for code scanning

Running code scanning using GitHub Actions

Setting up a self-hosted runner

GitHub Enterprise Server can run code scanning using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Provisioning the actions for code scanning

If you want to use actions to run code scanning on GitHub Enterprise Server, the actions must be available on your appliance.

The CodeQL action is included in your installation of GitHub Enterprise Server. If GitHub Enterprise Server has access to the internet, the action will automatically download the CodeQL bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the CodeQL analysis bundle available locally. For more information, see "Configuring CodeQL analysis on a server without internet access" below.

You can also make third-party actions available to users for code scanning, by setting up GitHub Connect. For more information, see "Configuring GitHub Connect to sync GitHub Actions" below.

Configuring CodeQL analysis on a server without internet access

If the server on which you are running GitHub Enterprise Server is not connected to the internet, and you want to allow users to enable CodeQL code scanning for their repositories, you must use the CodeQL action sync tool to copy the CodeQL analysis bundle from GitHub.com to your server. The tool, and details of how to use it, are available at https://github.com/github/codeql-action-sync-tool.

If you set up the CodeQL action sync tool, you can use it to sync the latest releases of the CodeQL action and associated CodeQL analysis bundle. These are compatible with GitHub Enterprise Server.

Configuring GitHub Connect to sync GitHub Actions

  1. If you want to download action workflows on demand from GitHub.com, you need to enable GitHub Connect. For more information, see "Enabling GitHub Connect."
  2. You'll also need to enable GitHub Actions for GitHub Enterprise Serverインスタンス. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."
  3. The next step is to configure access to actions on GitHub.com using GitHub Connect. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."
  4. Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "Adding self-hosted runners."

Running code scanning using the CodeQL CLI

If you don't want to use GitHub Actions, you should run code scanning using the CodeQL CLI.

The CodeQL CLI is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. For more information, see "Installing CodeQL CLI in your CI system."

Running code scanning using the CodeQLランナー

Note: The CodeQLランナー is being deprecated. On GitHub Enterprise Server 3.0 and greater, you can install CodeQL CLI version 2.6.3 to replace CodeQLランナー.

For more information, see the CodeQL runner deprecation. CodeQL CLIへの移行に関する情� �については「CodeQLランナーからCodeQL CLIへの移行」を参照してく� さい。

If you don't want to use GitHub Actions, you can run code scanning using the CodeQLランナー.

The CodeQLランナー is a command-line tool that you can add to your third-party CI/CD system. The tool runs CodeQL analysis on a checkout of a GitHub repository. For more information, see "Running code scanning in your CI system."