Nota: Varredura de código está atualmente em versão beta e sujeito a alterações. To request access to the beta, join the waitlist.
You decide how you generate Varredura de código alerts, and which tools you use, at a repository level. GitHub provides fully integrated support for CodeQL analysis, and also supports analysis using third-party tools. For more information, see "About CodeQL."
||Options for generating alerts|
|CodeQL||Using GitHub Actions (see "Enabling Varredura de código using actions") or using the CodeQL runner in a third-party continuous integration (CI) system (see "Running code scanning in your CI system").|
|Third‑party||Using GitHub Actions (see "Enabling Varredura de código using actions") or generated externally and uploaded to GitHub (see "Uploading a SARIF file to GitHub").|
Using actions to run Varredura de código will use minutes. For more information, see "About billing for GitHub Actions."
- No GitHub, navegue até a página principal do repositório.
- Under your repository name, click Security.
- To the right of "Code scanning", click Set up code scanning.
- Under "Get started with code scanning", click Set up this workflow on the CodeQL Analysis workflow or on a third-party workflow.
- Optionally, to customize how Varredura de código scans your code, edit the workflow. For more information, see "Configuring Varredura de código."
- Use the Start commit drop-down, and type a commit message.
- Choose whether you'd like to commit directly to the default branch, or create a new branch and start a pull request.
- Click Commit new file or Propose new file.
After you commit the workflow file or create a pull request, Varredura de código will analyze your code according to the frequency you specified in your workflow file. If you created a pull request, Varredura de código will only analyze the code on the pull request's topic branch until you merge the pull request into the default branch of the repository.
After you enable Varredura de código, you can monitor analysis, view results, and further customize how you scan your code.
- You can view the run status of Varredura de código and get notifications for completed runs. For more information, see "Managing a workflow run" and "Configuring notifications."
- After a scan completes, you can view alerts from a completed scan. For more information, see "Managing alerts from Varredura de código."
- You can customize how Varredura de código scans the code in your repository. For more information, see "Configuring code scanning."