Code scanning is a feature that you use to analyze the code in a GitHub repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in your repository.
You can use code scanning to find, triage, and prioritize fixes for existing problems in your code. Code scanning also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
If code scanning finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing code scanning alerts for your repository."
To monitor results from code scanning across your repositories or your organization, you can use webhooks and the code scanning API. For information about the webhooks for code scanning, see "Webhook events and payloads." For information about API endpoints, see "REST API endpoints for code scanning."
To get started with code scanning, see "Configuring default setup for code scanning."
Code scanning uses GitHub Actions, and each run of a code scanning workflow consumes minutes for GitHub Actions. For more information, see "About billing for GitHub Actions."
To use code scanning on a private repository, you will also need a license for GitHub Advanced Security. For information about how you can try GitHub Enterprise with GitHub Advanced Security for free, see "Setting up a trial of GitHub Enterprise Cloud" and "Setting up a trial of GitHub Advanced Security" in the GitHub Enterprise Cloud documentation.
You can configure code scanning to use the CodeQL product maintained by GitHub or a third-party code scanning tool.
CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts. For more information about CodeQL, see "About code scanning with CodeQL."
Code scanning is interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data. SARIF is an open standard. For more information, see "SARIF support for code scanning."
You can run third-party analysis tools within GitHub using actions or within an external CI system. For more information, see "Configuring advanced setup for code scanning" or "Uploading a SARIF file to GitHub."
The tool status page shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the tool status page is a good starting point for debugging problems. For more information, see "About the tool status page for code scanning".
Ship secure applications within the GitHub flow: Stay ahead of security issues, leverage the security community’s expertise, and use open source securely.
We help our customers' security and risk teams feel confident in their decisions to encourage developer collaboration on GitHub. We recognize that security is a shared responsibility with our customers. We are proud to partner with your security, risk, and procurement teams to provide the information needed for risk assessments and true understanding of our security and compliance posture.
Our GitHub Security Lab is a world-class security R&D team. We inspire and enable the community to secure open source at scale, so the world’s software we all depend on sits on foundations you can trust. Our ambition is to be the home where security researchers and developers can collaborate to make security easy for everyone willing to secure open source.
We keep GitHub safe, secure, and free of spam and abuse so that this can be the platform where developers come together to create. We do this through significant investments in platform security, incident response, and anti-abuse.
We embody the shift toward investments in safe and secure software design practices with our world-class security engineering program. We embed security expertise and capabilities into every phase of our Software Development Lifecycle.
Our Product Security Engineering team empowers developers to create a secure platform and products. Through developer training, the creation of components that form a secure foundation to build on, automated code analysis, in-depth threat modeling, and security code review and testing, we prevent vulnerabilities as early as possible in the development lifecycle.
Once our product is out the door, our security testing doesn’t stop. In addition to our internal Red Team, we leverage the collective expertise of the security research community through our Bug Bounty program to provide ongoing and broadly-scoped review.
Help us keep the world’s software safe