Skip to main content

GitHub AE는 현재 제한된 릴리스 상태입니다.

CI 시스템에서 CodeQL 코드 검사 정보

You can analyze your code with CodeQL in a third-party continuous integration system and upload the results to your enterprise. The resulting code scanning alerts are shown alongside any alerts generated within GitHub AE.

Code scanning is available for organization-owned repositories in GitHub AE. This is a GitHub Advanced Security feature (free during the beta release). For more information, see "About GitHub Advanced Security."

About CodeQL code scanning in your CI system

Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub AE. For information, see "About code scanning with CodeQL."

You can run CodeQL code scanning within GitHub AE using GitHub Actions. Alternatively, if you use a third-party continuous integration or continuous delivery/deployment (CI/CD) system, you can run CodeQL analysis in your existing system and upload the results to your enterprise.

You add the CodeQL CLI to your third-party system, then call the tool to analyze code and upload the SARIF results to GitHub AE. The resulting code scanning alerts are shown alongside any alerts generated within GitHub AE.

If you run code scanning using multiple configurations, an alert will sometimes have multiple analysis origins. If an alert has multiple analysis origins, you can view the status of the alert for each analysis origin on the alert page. For more information, see "About code scanning alerts."

Note: Uploading SARIF data to display as code scanning results in GitHub AE is supported for organization-owned repositories with GitHub Advanced Security enabled. For more information, see "Managing security and analysis settings for your repository."

About the CodeQL CLI

The CodeQL CLI is a standalone, command-line tool that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to your enterprise.

Use the CodeQL CLI to analyze:

  • Dynamic languages, for example, JavaScript and Python.
  • Compiled languages, for example, C/C++, C#, and Java.
  • Codebases written in a mixture of languages.

For more information, see "Installing CodeQL CLI in your CI system."


  • The CodeQL CLI is available to customers with an Advanced Security license.

  • The CodeQL CLI is currently not compatible with non-glibc Linux distributions such as (musl-based) Alpine Linux.