👋 We've unified all of GitHub's product documentation in one place! Check out the content for REST API, GraphQL API, and Developers. Learn more on the GitHub blog.


Publicamos atualizações frequentes em nossa documentação, e a tradução desta página ainda pode estar em andamento. Para obter as informações mais recentes, acesse a documentação em inglês. Se houver problemas com a tradução desta página, entre em contato conosco.

About code scanning

You can use Varredura de código to find security vulnerabilities and errors in the code for your project on GitHub.

Neste artigo

Note: Varredura de código is currently in beta and subject to change. To request access to the beta, join the waitlist.

Sobre o Varredura de código

With Varredura de código, developers can quickly and automatically analyze the code in a GitHub repository to find security vulnerabilities and coding errors.

You can use Varredura de código to find, triage, and prioritize fixes for existing problems in your code. Varredura de código also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If Varredura de código finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing alerts from Varredura de código."

Varredura de código supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Python

Varredura de código uses GitHub Actions. Para obter mais informações, consulte "Sobre o GitHub Actions".

To get started with Varredura de código, see "Enabling Varredura de código."

For more information about API endpoints for Varredura de código, see "Varredura de código."

Sobre o CodeQL

By default, Varredura de código uses CodeQL, a semantic code analysis engine. CodeQL treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. You can use CodeQL to find all variants of a vulnerability, and remove all the variants from your code.

QL is the query language that powers CodeQL. QL is an object-oriented logic programming language. GitHub, language experts, and security researchers create the queries used for Varredura de código, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see CodeQL on the GitHub Security Lab website.

You can view and contribute to the queries for Varredura de código in the github/codeql repository. For more information, see CodeQL queries in the CodeQL documentation.

Sobre a cobrança do Varredura de código

Varredura de código uses GitHub Actions, and each run of a Varredura de código workflow consumes minutes for GitHub Actions. Para obter mais informações, consulte "Sobre a cobrança do GitHub Actions".

About third-party code scanning tools

You can upload SARIF files from third-party static analysis tools to GitHub and see Varredura de código alerts from those tools in your repository.

Varredura de código is interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data. SARIF is an open standard. For more information, see "SARIF output for Varredura de código."

To get started, see "Uploading a SARIF file to GitHub."

Leia mais

Pergunte a uma pessoa

Não consegue encontrar o que procura?

Entrar em contato