About integration with code scanning

You can perform code scanning externally and then display the results in GitHub, or configure webhooks that listen to code scanning activity in your repository.

谁可以使用此功能?

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Advanced Security

本文内容

About integration with code scanning

注意

网站管理员必须启用 code scanning,然后你才能使用此功能。 有关详细信息,请参阅“为设备配置代码扫描”。

如果企业所有者在企业级别设置了 GitHub Advanced Security 策略,则你可能无法启用或禁用 code scanning。 有关详细信息,请参阅“强制实施企业的代码安全性和分析策略”。

As an alternative to running code scanning within GitHub, you can perform analysis elsewhere, using the CodeQL CLI or another static analysis tool, and then upload the results. For more information, see 在现有 CI 系统上使用代码扫描.

如果使用多个配置运行代码扫描,则警报有时会有多个分析源。 如果警报有多个分析源,你可在警报页上查看每个分析源的警报状态。 有关详细信息,请参阅“About code scanning alerts”。

Integrations with webhooks

You can use code scanning webhooks to build or configure integrations, such as GitHub Apps or OAuth apps, that subscribe to code scanning events in your repository. For example, you could build an integration that creates an issue on GitHub or sends you a Slack notification when a new code scanning alert is added in your repository. For more information, see Webhook 文档 and Webhook 事件和有效负载.

Further reading