About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.

谁可以使用此功能?

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Code Security

本文内容

Code scanning 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析标识的任何问题都显示在存储库中。

You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see 解决代码扫描警报.

GitHub Copilot Autofix will suggest fixes for alerts from code scanning analysis, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see 负责任地使用 Copilot Autofix 进行代码扫描.

To monitor results from code scanning across your repositories or your organization, you can use webhooks and the code scanning API. For information about the webhooks for code scanning, see Webhook 事件和有效负载. For information about API endpoints, see 适用于代码扫描的 REST API 终结点.

To get started with code scanning, see 配置代码扫描的默认设置.

About billing for code scanning

Code scanning uses GitHub Actions, and each run of a code scanning workflow consumes minutes for GitHub Actions. For more information, see GitHub Actions 计费.

To use code scanning on a private repository, you will also need a license for GitHub Code Security. 有关如何免费试用 GitHub Advanced Security 的信息,请参阅 安装 GitHub Advanced Security 试用版

About tools for code scanning

You can configure code scanning to use the CodeQL product maintained by GitHub or a third-party code scanning tool.

About CodeQL analysis

CodeQL 是 GitHub 开发的代码分析引擎,用于自动执行安全检查。 可使用 CodeQL 分析代码,并将结果显示为 code scanning 警报。 For more information about CodeQL, see About code scanning with CodeQL.

About third-party code scanning tools

Code scanning 可与输出静态分析结果交换格式 (SARIF) 数据的第三方代码扫描工具互操作。 SARIF 是一个开放的标准。 有关详细信息,请参阅“对代码扫描的 SARIF 支持”。

You can run third-party analysis tools within GitHub using actions or within an external CI system. For more information, see 配置代码扫描的高级设置 or 将 SARIF 文件上传到 GitHub.

About the 工具状态页

The 工具状态页 shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the 工具状态页 is a good starting point for debugging problems. For more information, see 关于代码扫描的工具状态页.