Skip to main content

About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.

Code scanning is available for organization-owned repositories in GitHub Enterprise Server. This feature requires a license for GitHub Advanced Security. For more information, see "GitHub's products."

Note: Your site administrator must enable code scanning for GitHub Enterprise Serverインスタンス before you can use this feature. For more information, see "Configuring code scanning for your appliance."

About code scanning

Code scanning は、開発者が GitHub リポジトリ内のコードを分析して、セキュリティの脆弱性とコーディングエラーを見つけることができる機能です。 分析によって特定されたすべての問題はGitHub Enterprise Serverに表示されます。

You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing code scanning alerts for your repository."

To monitor results from code scanning across your repositories or your organization, you can use webhooks and the code scanning API. For information about the webhooks for code scanning, see "Webhook events and payloads." For information about API endpoints, see "Code scanning."

To get started with code scanning, see "Setting up code scanning for a repository."

About tools for code scanning

You can set up code scanning to use the CodeQL product maintained by GitHub or a third-party code scanning tool.

About CodeQL analysis

CodeQLはGitHubが開発した、セキュリティチェックを自動化するためのコード分析エンジンです。 CodeQLを使ってコードを分析し、結果をcode scanningアラートとして表示できます。 For more information about CodeQL, see "About code scanning with CodeQL."

About third-party code scanning tools

Code scanningは、Static Analysis Results Interchange Format (SARIF) データを出力するサードパーティのコードスキャンニングツールと相互運用できます。 SARIFはオープン標準です。 詳しい情報については「code scanningのためのSARIF出力」を参照してください。

You can run third-party analysis tools within GitHub Enterprise Server using actions or within an external CI system. For more information, see "Setting up code scanning for a repository" or "Uploading a SARIF file to GitHub."