注: この機能を使うには、サイト管理者が の code scanning を有効にする必要があります。 コードをスキャンするためにGitHub Actionsを使いなら、サイト管理者はGitHub Actionsの有効化と、必要なインフラストラクチャのセットアップもしなければなりません。 詳細については、「アプライアンスでの code scanning の構成」を参照してく� さい。
Note: This article describes the features available with the version of the CodeQL action and associated CodeQL CLI bundle included in the initial release of this version of GitHub Enterprise Server. If your enterprise uses a more recent version of the CodeQL action, see the GitHub Enterprise Cloud article for information on the latest features. For information on using the latest version, see "Configuring code scanning for your appliance."
About code scanning configuration
You can run code scanning on GitHub Enterprise Server, using GitHub Actions, or from your continuous integration (CI) system. For more information, see "About GitHub Actions" or "About CodeQL code scanning in your CI system."
This article is about running code scanning on GitHub Enterprise Server using actions.
Before you can customize code scanning for a repository, you must configure code scanning by adding a GitHub Actions workflow to the repository. For more information, see "Configuring code scanning for a repository."
通常、code scanning のデフォルトのワークフローを編集する必要はありません。 た� し、必要な� �合にはワークフローを編集して設定の一部をカスタマイズできます。 たとえば、GitHub の CodeQL analysis workflowを編集すると、スキャンの� �度、スキャンする言語やディレクトリ、CodeQL code scanning を使ったコード内での検索対象を指定できます。 コードのコンパイルに特定のコマンド セットを使う� �合にも、CodeQL analysis workflowの編集が必要となる� �合があります。
CodeQL analysis is just one type of code scanning you can do in GitHub. GitHub Marketplace on GitHub.com contains other code scanning workflows you can use. The specific examples given in this article relate to the CodeQL analysis workflow file.
Editing a code scanning workflow
GitHub saves workflow files in the .github/workflows directory of your repository. You can find a workflow you have added by searching for its file name. For example, by default, the workflow file for CodeQL code scanning is called codeql-analysis.yml.
- In your repository, browse to the workflow file you want to edit.
- In the upper right corner of the file view, to open the workflow editor, click .
- After you have edited the file, click Start commit and complete the "Commit changes" form. You can choose to commit directly to the current branch, or create a new branch and start a pull request.
For more information about editing workflow files, see "Learn GitHub Actions."
Configuring frequency
You can configure the CodeQL analysis workflow to scan code on a schedule or when specific events occur in a repository.
Scanning code when someone pushes a change, and whenever a pull request is created, prevents developers from introducing new vulnerabilities and errors into the code. Scanning code on a schedule informs you about the latest vulnerabilities and errors that GitHub, security researchers, and the community discover, even when developers aren't actively maintaining the repository.
Scanning on push
By default, the CodeQL analysis workflow uses the on.push
event to trigger a code scan on every push to the default branch of the repository and any protected branches. For code scanning to be triggered on a specified branch, the workflow must exist in that branch. For more information, see "Workflow syntax for GitHub Actions."
If you scan on push, then the results appear in the Security tab for your repository. For more information, see "Managing code scanning alerts for your repository."
Additionally, when an on:push
scan returns results that can be mapped to an open pull request, these alerts will automatically appear on the pull request in the same places as other pull request alerts. The alerts are identified by comparing the existing analysis of the head of the branch to the analysis for the target branch. For more information on code scanning alerts in pull requests, see "Triaging code scanning alerts in pull requests."
Scanning pull requests
The default CodeQL analysis workflow uses the pull_request
event to trigger a code scan on pull requests targeted against the default branch. The pull_request
event is not triggered if the pull request was opened from a private fork.
For more information about the pull_request
event, see "Events that trigger workflows."
If you scan pull requests, then the results appear as alerts in a pull request check. For more information, see "Triaging code scanning alerts in pull requests."
Using the pull_request
trigger, configured to scan the pull request's merge commit rather than the head commit, will produce more efficient and accurate results than scanning the head of the branch on each push. However, if you use a CI/CD system that cannot be configured to trigger on pull requests, you can still use the on:push
trigger and code scanning will map the results to open pull requests on the branch and add the alerts as annotations on the pull request. For more information, see "Scanning on push."
Defining the severities causing pull request check failure
By default, only alerts with the severity level of Error
or security severity level of Critical
or High
will cause a pull request check failure, and a check will still succeed with alerts of lower severities. You can change the levels of alert severities and of security severities that will cause a pull request check failure in your repository settings. For more information about severity levels, see "About code scanning alerts."
-
で、リポジトリのメイン ページへ移動します。
-
リポジトリ名の下の [ 設定] をクリックします。
-
サイドバーで、 [セキュリティと分析] をクリックします。
-
Under "Code scanning", to the right of "Check Failure", use the drop-down menu to select the level of severity you would like to cause a pull request check failure.
Avoiding unnecessary scans of pull requests
You might want to avoid a code scan being triggered on specific pull requests targeted against the default branch, irrespective of which files have been changed. You can configure this by specifying on:pull_request:paths-ignore
or on:pull_request:paths
in the code scanning workflow. For example, if the only changes in a pull request are to files with the file extensions .md
or .txt
you can use the following paths-ignore
array.
on:
push:
branches: [main, protected]
pull_request:
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*.txt'
Notes
on:pull_request:paths-ignore
andon:pull_request:paths
set conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions are run. When a pull request contains any files that are not matched byon:pull_request:paths-ignore
oron:pull_request:paths
, the workflow runs the actions and scans all of the files changed in the pull request, including those matched byon:pull_request:paths-ignore
oron:pull_request:paths
, unless the files have been excluded. For information on how to exclude files from analysis, see "Specifying directories to scan."- For CodeQL code scanning workflow files, don't use the
paths-ignore
orpaths
keywords with theon:push
event as this is likely to cause missing analyses. For accurate results, CodeQL code scanning needs to be able to compare new changes with the analysis of the previous commit.
For more information about using on:pull_request:paths-ignore
and on:pull_request:paths
to determine when a workflow will run for a pull request, see "Workflow syntax for GitHub Actions."
Scanning on a schedule
If you use the default CodeQL analysis workflow, the workflow will scan the code in your repository once a week, in addition to the scans triggered by events. To adjust this schedule, edit the cron
value in the workflow. For more information, see "Workflow syntax for GitHub Actions."
Note: GitHub only runs scheduled jobs that are in workflows on the default branch. Changing the schedule in a workflow on any other branch has no effect until you merge the branch into the default branch.
Example
The following example shows a CodeQL analysis workflow for a particular repository that has a default branch called main
and one protected branch called protected
.
on:
push:
branches: [main, protected]
pull_request:
branches: [main]
schedule:
- cron: '20 14 * * 1'
This workflow scans:
- Every push to the default branch and the protected branch
- Every pull request to the default branch
- The default branch every Monday at 14:20 UTC
Specifying an operating system
If your code requires a specific operating system to compile, you can configure the operating system in your CodeQL analysis workflow. Edit the value of jobs.analyze.runs-on
to specify the operating system for the machine that runs your code scanning actions. You specify the operating system by using an appropriate label as the second element in a two-element array, after self-hosted
.
jobs:
analyze:
name: Analyze
runs-on: [self-hosted, ubuntu-latest]
CodeQL code scanning supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: ubuntu-latest
, windows-latest
, and macos-latest
. For more information, see "Choosing the runner for a job" and "Using labels with self-hosted runners."
You must ensure that Git is in the PATH variable on your self-hosted runners. For more information, see "About self-hosted runners" and "Adding self-hosted runners."
For recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis, see "Recommended hardware resources for running CodeQL."
Specifying the location for CodeQL databases
In general, you do not need to worry about where the CodeQL analysis workflow places CodeQL databases since later steps will automatically find databases created by previous steps. However, if you are writing a custom workflow step that requires the CodeQL database to be in a specific disk location, for example to upload the database as a workflow artifact, you can specify that location using the db-location
parameter under the init
action.
- uses: github/codeql-action/init@v1
with:
db-location: '${{ github.workspace }}/codeql_dbs'
The CodeQL analysis workflow will expect the path provided in db-location
to be writable, and either not exist, or be an empty directory. When using this parameter in a job running on a self-hosted runner or using a Docker container, it's the responsibility of the user to ensure that the chosen directory is cleared between runs, or that the databases are removed once they are no longer needed. This is not necessary for jobs running on GitHub-hosted runners, which obtain a fresh instance and a clean filesystem each time they run. For more information, see "About GitHub-hosted runners."
If this parameter is not used, the CodeQL analysis workflow will create databases in a temporary location of its own choice.
Changing the languages that are analyzed
CodeQL code scanning automatically detects code written in the supported languages.
- C/C++
- C#
- Go
- Java
- JavaScript/TypeScript
- Python
注: JavaScript、TypeScript、またはその両方で記述されたコードを分析するには javascript
を使用します。
詳細については、CodeQL Web サイトのドキュメント「サポートされている言語とフレー� ワーク」を参照してく� さい。
The default CodeQL analysis workflow file contains a matrix called language
which lists the languages in your repository that are analyzed. CodeQL automatically populates this matrix when you add code scanning to a repository. Using the language
matrix optimizes CodeQL to run each analysis in parallel. We recommend that all workflows adopt this configuration due to the performance benefits of parallelizing builds. For more information about matrices, see "Using a matrix for your jobs."
サポートされている 1 つ以上の言語のコードがリポジトリに含まれている� �合は、分析する言語を選択できます。 言語が分析されないようにする理由は、いくつかあります。 たとえば、プロジェクトで、コードの本体に対する依存関係が別の言語の中にあり、それらの依存関係のアラートを表示したくない� �合が考えられます。
If your workflow uses the language
matrix then CodeQL is hardcoded to analyze only the languages in the matrix. To change the languages you want to analyze, edit the value of the matrix variable. You can remove a language to prevent it being analyzed or you can add a language that was not present in the repository when code scanning was configured. For example, if the repository initially only contained JavaScript when code scanning was configured, and you later added Python code, you will need to add python
to the matrix.
jobs:
analyze:
name: Analyze
...
strategy:
fail-fast: false
matrix:
language: ['javascript', 'python']
If your workflow does not contain a matrix called language
, then CodeQL is configured to run analysis sequentially. If you don't specify languages in the workflow, CodeQL automatically detects, and attempts to analyze, any supported languages in the repository. If you want to choose which languages to analyze, without using a matrix, you can use the languages
parameter under the init
action.
- uses: github/codeql-action/init@v1
with:
languages: cpp, csharp, python
Configuring a category for the analysis
Use category
to distinguish between multiple analyses for the same tool and commit, but performed on different languages or different parts of the code. The category you specify in your workflow will be included in the SARIF results file.
This parameter is particularly useful if you work with monorepos and have multiple SARIF files for different components of the monorepo.
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
with:
# Optional. Specify a category to distinguish between multiple analyses
# for the same tool and ref. If you don't use `category` in your workflow,
# GitHub will generate a default category name for you
category: "my_category"
If you don't specify a category
parameter in your workflow, GitHub Enterprise Server will generate a category name for you, based on the name of the workflow file triggering the action, the action name, and any matrix variables. For example:
- The
.github/workflows/codeql-analysis.yml
workflow and theanalyze
action will produce the category.github/workflows/codeql.yml:analyze
. - The
.github/workflows/codeql-analysis.yml
workflow, theanalyze
action, and the{language: javascript, os: linux}
matrix variables will produce the category.github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux
.
The category
value will appear as the <run>.automationDetails.id
property in SARIF v2.1.0. For more information, see "SARIF support for code scanning."
Your specified category will not overwrite the details of the runAutomationDetails
object in the SARIF file, if included.
Running additional queries
コードをスキャンするためにCodeQLを使う� �合、CodeQL分析エンジンはコードからデータベースを生成し、それに対してクエリを実行します。 CodeQLの分析はデフォルトのクエリセットを使いますが、デフォルトのクエリに� えてもっと多くのクエリを実行するよう指定することもできます。
実行したいクエリが他にあれば、リポジトリ内の QL パックに属していなければなりません。 詳細については、「code scanning と CodeQL について」を参照してく� さい。
1 つの .ql ファイル、複数の .ql ファイルを含むディレクトリ、 .qls クエリ スイート定義ファイル、または任意の組み合わせを指定できます。 クエリ スイート定義の詳細については、「CodeQL クエリ スイートの作成」を参照してく� さい。
To add one or more queries, add a with: queries:
entry within the uses: github/codeql-action/init@v1
section of the workflow. If the queries are in a private repository, use the external-repository-token
parameter to specify a token that has access to checkout the private repository.
- uses: github/codeql-action/init@v1
with:
queries: COMMA-SEPARATED LIST OF PATHS
# Optional. Provide a token to access queries stored in private repositories.
external-repository-token: ${{ secrets.ACCESS_TOKEN }}
You can also specify query suites in the value of queries
. Query suites are collections of queries, usually grouped by purpose or language.
以下のクエリスイートはCodeQL code scanningに組み込まれており、利用可能です。
クエリ スイート | 説明 |
---|---|
security-extended | 既定のスイートからのクエリ、および重要度と精度の低いクエリ |
security-and-quality | security-extended からのクエリに� え、保守性および信� �性のクエリ。 |
クエリ スイートを指定すると、CodeQL の分析エンジンでは、既定の一連のクエリと、追� のクエリ スイートで定義されている追� クエリが実行されます。
If you also use a configuration file for custom settings, any additional queries specified in your workflow are used instead of those specified in the configuration file. If you want to run the combined set of additional queries, prefix the value of queries
in the workflow with the +
symbol. For more information, see "Using a custom configuration file."
In the following example, the +
symbol ensures that the specified additional queries are used together with any specified in the referenced configuration file.
- uses: github/codeql-action/init@v1
with:
config-file: ./.github/codeql/codeql-config.yml
queries: +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main
Using a custom configuration file
A custom configuration file is an alternative way to specify additional queries to run. You can also use the file to disable the default queries and to specify which directories to scan during analysis.
In the workflow file, use the config-file
parameter of the init
action to specify the path to the configuration file you want to use. This example loads the configuration file ./.github/codeql/codeql-config.yml.
- uses: github/codeql-action/init@v1
with:
config-file: ./.github/codeql/codeql-config.yml
構成ファイルは、分析するリポジトリ内、または外部リポジトリ内に� �納できます。 外部リポジトリを使用すると、1 つの� �所の複数のリポジトリに対して構成オプションを指定できます。 外部リポジトリにある構成ファイルを参照する� �合は、 OWNER/REPOSITORY/FILENAME@BRANCH 構文を使用できます。 たとえば、 octo-org/shared/codeql-config.yml@main です。
If the configuration file is located in an external private repository, use the external-repository-token
parameter of the init
action to specify a token that has access to the private repository.
- uses: github/codeql-action/init@v1
with:
external-repository-token: ${{ secrets.ACCESS_TOKEN }}
The settings in the configuration file are written in YAML format.
Specifying additional queries
You specify additional queries in a queries
array. Each element of the array contains a uses
parameter with a value that identifies a single query file, a directory containing query files, or a query suite definition file.
queries:
- uses: ./my-basic-queries/example-query.ql
- uses: ./my-advanced-queries
- uses: ./query-suites/my-security-queries.qls
Optionally, you can give each array element a name, as shown in the example configuration files below. For more information about additional queries, see "Running additional queries" above.
Disabling the default queries
If you only want to run custom queries, you can disable the default security queries by using disable-default-queries: true
.
Specifying directories to scan
For the interpreted languages that CodeQL supports (Python and JavaScript/TypeScript), you can restrict code scanning to files in specific directories by adding a paths
array to the configuration file. You can exclude the files in specific directories from analysis by adding a paths-ignore
array.
paths:
- src
paths-ignore:
- src/node_modules
- '**/*.test.js'
Note:
- The
paths
andpaths-ignore
keywords, used in the context of the code scanning configuration file, should not be confused with the same keywords when used foron.<push|pull_request>.paths
in a workflow. When they are used to modifyon.<push|pull_request>
in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see "Workflow syntax for GitHub Actions." - The filter pattern characters
?
,+
,[
,]
, and!
are not supported and will be matched literally. **
characters can only be at the start or end of a line, or surrounded by slashes, and you can't mix**
and other characters. For example,foo/**
,**/foo
, andfoo/**/bar
are all allowed syntax, but**foo
isn't. However you can use single stars along with other characters, as shown in the example. You'll need to quote anything that contains a*
character.
For compiled languages, if you want to limit code scanning to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "Configuring the CodeQL workflow for compiled languages."
You can quickly analyze small portions of a monorepo when you modify code in specific directories. You'll need to both exclude directories in your build steps and use the paths-ignore
and paths
keywords for on.<push|pull_request>
in your workflow.
Example configuration files
この構成ファイルは、コードのスキャン時に CodeQL によって実行されるクエリのリストに security-and-quality
クエリ スイートを追� します。 使用できるクエリ スイートの詳細については、「追� のクエリを実行する」を参照してく� さい。
name: "My CodeQL config"
queries:
- uses: security-and-quality
以下の設定ファイルはデフォルトのクエリを無効化し、その代わりに実行するカスタ� クエリのセットを指定します。 また、CodeQL が、src/node_modules ディレクトリと .test.js で名前が終わるファイルを除く、src ディレクトリ (ルートに対する相対) 内のファイルをスキャンするようにも設定します。 src/node_modules 内のファイルと末尾が .test.js で終わる名前のファイルは、分析から除外されます。
name: "My CodeQL config"
disable-default-queries: true
queries:
- name: Use an in-repository QL pack (run queries in the my-queries directory)
uses: ./my-queries
- name: Use an external JavaScript QL pack (run queries from an external repo)
uses: octo-org/javascript-qlpack@main
- name: Use an external query (run a single query from an external QL pack)
uses: octo-org/python-qlpack/show_ifs.ql@main
- name: Use a query suite file (run queries from a query suite in this repo)
uses: ./codeql-qlpacks/complex-python-qlpack/rootAndBar.qls
paths:
- src
paths-ignore:
- src/node_modules
- '**/*.test.js'
Configuring code scanning for compiled languages
サポートされているコンパイル言語の� �合、CodeQL analysis workflowの autobuild
アクションを使ってコードをビルドできます。 これにより、C/C++、C#、Java の明示的なビルド コマンドを指定する必要がなくなります。 これらの言語では、CodeQL は、ビルドされたリポジトリ内のソース ファイルを分析します。 これらの言語の� �合は、autobuild
を無効にし、その代わりにカスタ� ビルド コマンドによってビルドされたファイルのみを分析するためにこれらのカスタ� コマンドを使用できます。
autobuild
が失敗した� �合、または autobuild
プロセスによってビルドされたものとは異なるソース ファイルのセットを分析する� �合は、ワークフローから autobuild
ステップを削除し、ビルド ステップを手動で追� する必要があります。 C/C++、C#、Go、Java プロジェクトの� �合、CodeQL では、指定したビルド ステップによってビルドされたソース コードを分析します。 For more information about how to configure CodeQL code scanning for compiled languages, see "Configuring the CodeQL workflow for compiled languages."
Uploading code scanning data to GitHub
GitHub can display code analysis data generated externally by a third-party tool. You can upload code analysis data with the upload-sarif
action. For more information, see "Uploading a SARIF file to GitHub."