About code scanning
Code scanning는 GitHub 리포지토리의 코드를 분석하여 보안 취약성 및 코딩 오류를 찾는 데 사용하는 기능입니다. 분석으로 식별되는 모든 문제는 리포지토리에 표시됩니다.
You can configure code scanning to run CodeQL analysis and third-party analysis. Code scanning also supports running analysis natively using GitHub Actions or externally using existing CI/CD infrastructure. The bullets below summarize the options available to users when you configure GitHub Enterprise Server 인스턴스 to allow code scanning using actions.
- CodeQL: 기본 설정("코드 스캔을 위한 기본 설정 구성" 참조) 또는 고급 설정("코드 스캔을 위한 고급 설정 구성" 참조)에서 GitHub Actions을(를) 사용하거나, 제3자 CI(연속 통합) 시스템에서 CodeQL 분석을 실행("기존 CI 시스템에서 코드 검색 사용하기" 참조)합니다.
- Third‑party: GitHub Actions을(를) 사용하거나, 제3자 도구를 사용한 다음 결과를 GitHub Enterprise Server에 업로드("GitHub에 SARIF 파일 업로드" 참조)합니다.
Checking whether your license includes GitHub Advanced Security
엔터프라이즈 설정을 검토하여 엔터프라이즈에 GitHub Advanced Security 라이선스가 있는지 확인할 수 있습니다. 자세한 내용은 "Enabling GitHub Advanced Security for your enterprise"을(를) 참조하세요.
Prerequisites for code scanning
-
A license for GitHub Advanced Security (see "GitHub Advanced Security 요금 청구 정보")
-
Code scanning enabled in the management console (see "Enabling GitHub Advanced Security for your enterprise")
-
A VM or container for code scanning analysis to run in.
Running code scanning using GitHub Actions
Provisioning a self-hosted runner
GitHub Enterprise Server can run code scanning using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. For more information, see "자체 호스트형 실행기 정보" and "자체 호스트형 실행기 추가."
If you are provisioning a self-hosted runner for CodeQL analysis, your runner must use a CodeQL-supported operating system version and CPU architecture. For more information, see the CodeQL system requirements.
If you are using default setup for code scanning, assign the code-scanning label to your self-hosted runner. For more information about using labels with self-hosted runners, see "자체 호스트형 실행기로 레이블 사용." For more information about using default setup for code scanning analysis of compiled languages, see "컴파일된 언어에 대한 CodeQL 코드 검사하기."
You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.
Note: If you use CodeQL code scanning to analyze code written in Python in your enterprise, you must make sure that your self-hosted runner has Python 3 installed.
Provisioning a runner scale set
You can use Actions Runner Controller to create a dedicated runner scale set for your GitHub Enterprise Server instance. For more information, see "Actions Runner Controller를 사용하여 실행기 확장 집합 배포."
Provisioning the actions for code scanning
If you want to use actions to run code scanning on GitHub Enterprise Server, the actions must be available on your appliance.
The CodeQL action is included in your installation of GitHub Enterprise Server. If both GitHub Enterprise Server 3.13 and your GitHub Actions runner have access to the internet, the action will automatically download the CodeQL 2.16.5 bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the latest released version of the CodeQL analysis bundle available locally. For more information, see "Configuring CodeQL analysis on a server without internet access" below.
You can also make third-party actions available to users for code scanning, by setting up GitHub Connect. For more information, see "Configuring code scanning for your appliance" below.
Configuring CodeQL analysis on a server without internet access
If the server on which you are running GitHub Enterprise Server is not connected to the internet, and you want to allow users to enable CodeQL code scanning for their repositories, you must use the CodeQL action sync tool to copy the CodeQL analysis bundle from GitHub.com to your server. The tool, and details of how to use it, are available at https://github.com/github/codeql-action-sync-tool.
If you configure the CodeQL action sync tool, you can use it to sync the latest releases of the CodeQL action and associated CodeQL analysis bundle. These are compatible with GitHub Enterprise Server.
Configuring GitHub Connect to sync GitHub Actions
- If you want to download action workflows on demand from GitHub.com, you need to enable GitHub Connect. For more information, see "Managing GitHub Connect."
- You'll also need to enable GitHub Actions for GitHub Enterprise Server 인스턴스. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."
- The next step is to configure access to actions on GitHub.com using GitHub Connect. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."
- Add a self-hosted runner to your repository, organization, or enterprise account. For more information, see "자체 호스트형 실행기 추가."
Running code scanning using the CodeQL CLI
If you don't want to use GitHub Actions, you should run code scanning using the CodeQL CLI.
The CodeQL CLI is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. For more information, see "기존 CI 시스템에서 코드 검색 사용하기."