Merge branch 'main' into githubone-site-policy
This commit is contained in:
mc
@@ -25,20 +25,23 @@ You can create a default codespace configuration using a pre-built container con
|
||||
|
||||
{% data variables.product.prodname_codespaces %} uses settings contained in a configuration file named `devcontainer.json`. {% data reusables.codespaces.devcontainer-location %}
|
||||
|
||||
You can use your `devcontainer.json` to set default settings for the entire codespace environment, including the {% data variables.product.prodname_vscode %} editor, but you can also set editor-specific settings in a file named `.vscode/settings.json`.
|
||||
Each new codespace created from a branch that contains the `.devcontainer` folder will be configured according to the folder's contents. For more information, see "[Creating a codespace](/github/developing-online-with-codespaces/creating-a-codespace)."
|
||||
|
||||
Changes to a repository's codespace configuration apply only to every new codespace and do not affect any existing codespace.
|
||||
You can use your `devcontainer.json` to set default settings for the entire codespace environment, including the {% data variables.product.prodname_vscode %} editor, but you can also set editor-specific settings in a file named `.vscode/settings.json`.
|
||||
|
||||
### Using a pre-built container configuration
|
||||
|
||||
You can use any pre-built container configuration for {% data variables.product.prodname_vscode %} that is available in the [`vscode-dev-containers`](https://github.com/microsoft/vscode-dev-containers) repository. Pre-built container definitions include a common configuration for a particular project type, and can help you quickly get started with a configuration that already has the appropriate container options, {% data variables.product.prodname_vscode %} settings, and {% data variables.product.prodname_vscode %} extensions that should be installed.
|
||||
Pre-built container definitions include a common configuration for a particular project type, and can help you quickly get started with a configuration that already has the appropriate container options, {% data variables.product.prodname_vscode %} settings, and {% data variables.product.prodname_vscode %} extensions that should be installed.
|
||||
|
||||
1. Clone or download the [`vscode-dev-containers`](https://github.com/microsoft/vscode-dev-containers) repository.
|
||||
1. In the `vscode-dev-containers` repository, navigate to the [`containers`](https://github.com/microsoft/vscode-dev-containers/tree/master/containers) folder, then choose a container configuration for your project's needs. We'll use the [Node.js & JavaScript](https://aka.ms/vscode-dev-containers/definitions/node) container configuration as an example.
|
||||
1. From the [`Node.js & JavaScript`](https://aka.ms/vscode-dev-containers/definitions/node) folder, copy the `.devcontainer` folder to the root of your project's repository.
|
||||
1. Commit and push the new configuration to your project's repository on {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
Each new codespace created from a branch which contains the `.devcontainer` folder will be configured according to the folder's contents. For more information, see "[Creating a codespace](/github/developing-online-with-codespaces/creating-a-codespace)."
|
||||
1. Access the command palette (`shift command P` / `shift control P`), then start typing "Codespaces: Add Development Container Configuration Files...". Click **Codespaces: Add Development Container Configuration Files...**
|
||||
|
||||
1. Click the definition you want to use.
|
||||
|
||||
1. Follow the prompts to customize your definition.
|
||||
1. Click **OK**.
|
||||
|
||||
1. To apply the changes, in the bottom right corner of the screen, click **Rebuild now**. For more information about rebuilding your container, see "[Applying changes to your configuration](#applying-changes-to-your-configuration)."
|
||||
|
||||
|
||||
### Creating a custom codespace configuration
|
||||
|
||||
@@ -53,6 +56,8 @@ You can define default editor settings for {% data variables.product.prodname_vs
|
||||
* Editor settings defined in `.vscode/settings.json` are applied as _Workspace_-scoped settings in the codespace.
|
||||
* Editor settings defined in the `settings` key in `devcontainer.json` are applied as _Remote [Codespaces]_-scoped settings in the codespace.
|
||||
|
||||
After updating the `devcontainer.json` file, you can rebuild the container for your codespace to apply the changes. For more information, see "[Applying changes to your configuration](#applying-changes-to-your-configuration)."
|
||||
|
||||
### Supported codespace configuration keys
|
||||
|
||||
You can use configuration keys supported by {% data variables.product.prodname_codespaces %} in `devcontainer.json`.
|
||||
@@ -80,3 +85,15 @@ You can use configuration keys supported by {% data variables.product.prodname_c
|
||||
- `dockerComposeFile`
|
||||
|
||||
For more information about the available settings for `devcontainer.json`, see [devcontainer.json reference](https://aka.ms/vscode-remote/devcontainer.json) in the {% data variables.product.prodname_vscode %} documentation.
|
||||
|
||||
### Applying changes to your configuration
|
||||
|
||||
{% data reusables.codespaces.apply-devcontainer-changes %}
|
||||
|
||||
1. {% data reusables.codespaces.rebuild-command %}
|
||||
|
||||
1. {% data reusables.codespaces.recovery-mode %} Fix the errors in the configuration.
|
||||
|
||||
- To diagnose the error by reviewing the creation logs, click **View creation log**.
|
||||
- To fix the errors identified in the logs, update your `devcontainer.json` file.
|
||||
- To apply the changes, rebuild your container. {% data reusables.codespaces.rebuild-command %}
|
||||
|
||||
@@ -11,36 +11,22 @@ topics:
|
||||
- codespaces
|
||||
---
|
||||
|
||||
### About development with {% data variables.product.prodname_codespaces %}
|
||||
|
||||
{% data reusables.codespaces.release-stage %}
|
||||
|
||||
{% data reusables.codespaces.use-visual-studio-features %}
|
||||
|
||||
{% data reusables.codespaces.about-port-forwarding %} For more information, see "[Forwarding ports in your codespace](/github/developing-online-with-codespaces/forwarding-ports-in-your-codespace)."
|
||||
|
||||
{% data reusables.codespaces.apply-devcontainer-changes %} For more information, see "[Configuring {% data variables.product.prodname_codespaces %} for your project](/github/developing-online-with-codespaces/configuring-codespaces-for-your-project#apply-changes-to-your-configuration)."
|
||||
|
||||
{% data reusables.codespaces.use-chrome %} For more information, see "[Troubleshooting your codespace](/github/developing-online-with-codespaces/troubleshooting-your-codespace)."
|
||||
|
||||
### Connecting to a codespace from {% data variables.product.prodname_vscode %}
|
||||
{% data reusables.codespaces.connect-to-codespace-from-vscode %}
|
||||
|
||||
### Navigating to your codespace
|
||||
|
||||
{% data reusables.codespaces.navigate-to-codespaces %}
|
||||
2. Click the name of the codespace you want to develop in.
|
||||
|
||||
|
||||
### Forwarding ports
|
||||
|
||||
Port forwarding gives you access to TCP ports running within your codespace. For example, if you're running a web application on port 3000, you can access the application from your browser to test and debug it.
|
||||
|
||||
When an application running inside a codespace outputs a port to the console, {% data variables.product.prodname_codespaces %} detects the localhost URL pattern and automatically forwards those ports. You can click on the URL in the terminal to open it in a browser. For example, if an application outputs `http://127.0.0.1:3000` or `http://localhost:3000` to the console, the log would automatically convert the output to a clickable URL for port 3000.
|
||||
|
||||
|
||||
|
||||
Alternatively, you can also use any of the following ways to forward a port.
|
||||
|
||||
* You can forward a port on demand by triggering the command palette (`shift command P` / `shift control P`) and typing "Codespaces: Forward Port". You can then enter the number of the port you want to forward.
|
||||
|
||||
|
||||
|
||||
* You can automatically configure forwarded ports in a `.devcontainer.json` file using the `forwardPorts` property.
|
||||
|
||||
* You can add or remove forwarded ports within the Remote Explorer extension. From the Remote Explorer you can copy and paste the URLs for forwarded ports, allowing you to access them through your browser.
|
||||
|
||||
|
||||
|
||||
@@ -0,0 +1,61 @@
|
||||
---
|
||||
title: Forwarding ports in your codespace
|
||||
intro: '{% data reusables.codespaces.about-port-forwarding %}'
|
||||
product: '{% data reusables.gated-features.codespaces %}'
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- codespaces
|
||||
---
|
||||
|
||||
### About forwarded ports
|
||||
|
||||
Port forwarding gives you access to TCP ports running within your codespace. For example, if you're running a web application on port 4000, you can access the application from your browser to test and debug the application.
|
||||
|
||||
When an application running inside a codespace outputs a port to the console, {% data variables.product.prodname_codespaces %} detects the localhost URL pattern and automatically forwards the port. You can click on the URL in the terminal to open the port in a browser. For example, if an application outputs `http://127.0.0.1:4000` or `http://localhost:4000` to the console, the log would automatically convert the output to a clickable URL for port 4000.
|
||||
|
||||
|
||||
|
||||
You can also forward a port manually, label forwarded ports, share fowarded ports publicly, and add forwarded ports to the codespace configuration.
|
||||
|
||||
### Forwarding a port
|
||||
|
||||
You can manually forward a port that wasn't forwarded automatically.
|
||||
|
||||
{% data reusables.codespaces.navigate-to-ports-tab %}
|
||||
1. Under the list of ports, click **Add port**.
|
||||
|
||||
1. Type the port number or address, then press enter.
|
||||
|
||||
|
||||
### Labeling a port
|
||||
|
||||
You can label a port to make the port more easily identifiable in a list.
|
||||
|
||||
{% data reusables.codespaces.navigate-to-ports-tab %}
|
||||
1. Hover over the port you want to label, then click the label icon.
|
||||
|
||||
{% data reusables.codespaces.type-port-label %}
|
||||
|
||||
### Sharing a port
|
||||
|
||||
If you want to share a forwarded port with others, you can make the port public. After you make a port public, anyone with the port's URL can view the running application without needing to authenticate.
|
||||
|
||||
{% data reusables.codespaces.navigate-to-ports-tab %}
|
||||
1. Right click the port you want to share, then click **Make Public**.
|
||||
|
||||
1. To the right of the local address for the port, click the copy icon.
|
||||
|
||||
1. Send the copied URL to the person you want to share the port with.
|
||||
|
||||
### Adding a port to the codespace configuration
|
||||
|
||||
You can add a forwarded port to the {% data variables.product.prodname_codespaces %} configuration for the repository, so the port will automatically be forwarded for all codespaces created from the repository. After you update the configuration, any previously created codespaces must be rebuilt for the change to apply. For more information, see "[Configuring {% data variables.product.prodname_codespaces %} for your project](/github/developing-online-with-codespaces#applying-changes-to-your-configuration)."
|
||||
|
||||
You can manually configure fowarded ports in a `.devcontainer.json` file using the `forwardPorts` property, or you can use the "Ports" panel in your codespace.
|
||||
|
||||
{% data reusables.codespaces.navigate-to-ports-tab %}
|
||||
1. Right click the port you want to add to the codespace configuration, then click **Set Label and Update devcontainer.json**.
|
||||
|
||||
{% data reusables.codespaces.type-port-label %}
|
||||
|
||||
@@ -20,6 +20,7 @@ topics:
|
||||
{% link_in_list /configuring-codespaces-for-your-project %}
|
||||
{% link_in_list /creating-a-codespace %}
|
||||
{% link_in_list /developing-in-a-codespace %}
|
||||
{% link_in_list /forwarding-ports-in-your-codespace %}
|
||||
{% link_in_list /personalizing-codespaces-for-your-account %}
|
||||
{% link_in_list /managing-encrypted-secrets-for-codespaces %}
|
||||
{% link_in_list /managing-access-and-security-for-codespaces %}
|
||||
|
||||
@@ -16,6 +16,14 @@ topics:
|
||||
|
||||
{% data reusables.codespaces.unsupported-repos %}
|
||||
|
||||
{% data reusables.codespaces.recovery-mode %}
|
||||
|
||||
```
|
||||
This codespace is currently running in recovery mode due to a container error.
|
||||
```
|
||||
|
||||
Review the creation logs, update the configuration as needed, and run the "Rebuild Container" command to retry. For more information, see "[Configuring {% data variables.product.prodname_codespaces %} for your project](/github/developing-online-with-codespaces/configuring-codespaces-for-your-project#apply-changes-to-your-configuration)."
|
||||
|
||||
If you encounter issues while using a browser that is not Chromium-based, try switching to a Chromium-based browser, or check for known issues with your browser in the `microsoft/vscode` repository by searching for issues labeled with the name of your browser, such as[`firefox`](https://github.com/microsoft/vscode/issues?q=is%3Aissue+is%3Aopen+label%3Afirefox) or [`safari`](https://github.com/Microsoft/vscode/issues?q=is%3Aopen+is%3Aissue+label%3Asafari).
|
||||
|
||||
If you encounter issues while using a Chromium-based browser, you can check if you're experiencing another known issue with {% data variables.product.prodname_vscode %} in the [`microsoft/vscode`](https://github.com/microsoft/vscode/issues) repository.
|
||||
|
||||
@@ -7,6 +7,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
@@ -36,14 +37,6 @@ You can use {% data variables.product.prodname_code_scanning %} with {% data var
|
||||
|
||||
You can view and contribute to the queries for {% data variables.product.prodname_code_scanning %} in the [`github/codeql`](https://github.com/github/codeql) repository. For more information, see [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/) in the {% data variables.product.prodname_codeql %} documentation.
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
|
||||
### About billing for {% data variables.product.prodname_code_scanning %}
|
||||
|
||||
{% data variables.product.prodname_code_scanning_capc %} uses {% data variables.product.prodname_actions %}, and each run of a {% data variables.product.prodname_code_scanning %} workflow consumes minutes for {% data variables.product.prodname_actions %}. For more information, see "[About billing for {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-actions)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
### About third-party code scanning tools
|
||||
|
||||
{% data reusables.code-scanning.you-can-upload-third-party-analysis %}
|
||||
@@ -54,7 +47,5 @@ You can view and contribute to the queries for {% data variables.product.prodnam
|
||||
|
||||
### Further reading
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}
|
||||
- "[About securing your repository](/github/administering-a-repository/about-securing-your-repository)"{% endif %}
|
||||
- [{% data variables.product.prodname_security %}](https://securitylab.github.com/)
|
||||
- [OASIS Static Analysis Results Interchange Format (SARIF) TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif) on the OASIS Committee website
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
|
||||
@@ -9,4 +9,4 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
@@ -9,6 +9,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
|
||||
@@ -23,7 +24,7 @@ Before you can configure {% data variables.product.prodname_code_scanning %} for
|
||||
|
||||
{% data reusables.code-scanning.edit-workflow %}
|
||||
|
||||
{% data variables.product.prodname_codeql %} analysis is just one type of {% data variables.product.prodname_code_scanning %} you can do in {% data variables.product.prodname_dotcom %}. {% data variables.product.prodname_marketplace %}{% if currentVersion ver_gt "enterprise-server@2.21" %} on {% data variables.product.prodname_dotcom_the_website %}{% endif %} contains other {% data variables.product.prodname_code_scanning %} workflows you can use. {% if currentVersion == "free-pro-team@latest" %}You can find a selection of these on the "Get started with {% data variables.product.prodname_code_scanning %}" page, which you can access from the **{% octicon "shield" aria-label="The shield symbol" %} Security** tab.{% endif %} The specific examples given in this article relate to the {% data variables.product.prodname_codeql_workflow %} file.
|
||||
{% data variables.product.prodname_codeql %} analysis is just one type of {% data variables.product.prodname_code_scanning %} you can do in {% data variables.product.prodname_dotcom %}. {% data variables.product.prodname_marketplace %} on {% data variables.product.prodname_dotcom_the_website %} contains other {% data variables.product.prodname_code_scanning %} workflows you can use. The specific examples given in this article relate to the {% data variables.product.prodname_codeql_workflow %} file.
|
||||
|
||||
### Editing a {% data variables.product.prodname_code_scanning %} workflow
|
||||
|
||||
@@ -49,7 +50,7 @@ By default, the {% data variables.product.prodname_codeql_workflow %} uses the `
|
||||
|
||||
#### Scanning pull requests
|
||||
|
||||
The default {% data variables.product.prodname_codeql_workflow %} uses the `pull_request` event to trigger a code scan on pull requests targeted against the default branch. {% if currentVersion ver_gt "enterprise-server@2.21" %}The `pull_request` event is not triggered if the pull request was opened from a private fork.{% else %}If a pull request is from a private fork, the `pull_request` event will only be triggered if you've selected the "Run workflows from fork pull requests" option in the repository settings. For more information, see "[Disabling or limiting {% data variables.product.prodname_actions %} for a repository](/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository#enabling-workflows-for-private-repository-forks)."{% endif %}
|
||||
The default {% data variables.product.prodname_codeql_workflow %} uses the `pull_request` event to trigger a code scan on pull requests targeted against the default branch. The `pull_request` event is not triggered if the pull request was opened from a private fork.
|
||||
|
||||
For more information about the `pull_request` event, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags)."
|
||||
|
||||
@@ -110,9 +111,7 @@ This workflow scans:
|
||||
|
||||
### Specifying an operating system
|
||||
|
||||
If your code requires a specific operating system to compile, you can configure the operating system in your {% data variables.product.prodname_codeql_workflow %}. Edit the value of `jobs.analyze.runs-on` to specify the operating system for the machine that runs your {% data variables.product.prodname_code_scanning %} actions. {% if currentVersion ver_gt "enterprise-server@2.21" %}You specify the operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.{% else %}
|
||||
|
||||
If you choose to use a self-hosted runner for code scanning, you can specify an operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.{% endif %}
|
||||
If your code requires a specific operating system to compile, you can configure the operating system in your {% data variables.product.prodname_codeql_workflow %}. Edit the value of `jobs.analyze.runs-on` to specify the operating system for the machine that runs your {% data variables.product.prodname_code_scanning %} actions. You specify the operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.
|
||||
|
||||
``` yaml
|
||||
jobs:
|
||||
@@ -121,11 +120,9 @@ jobs:
|
||||
runs-on: [self-hosted, ubuntu-latest]
|
||||
```
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)" and "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."{% endif %}
|
||||
{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: `ubuntu-latest`, `windows-latest`, and `macos-latest`. For more information, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#self-hosted-runners)" and "[Using labels with self-hosted runners](/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners)."
|
||||
|
||||
{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: `ubuntu-latest`, `windows-latest`, and `macos-latest`. For more information, see {% if currentVersion ver_gt "enterprise-server@2.21" %}"[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#self-hosted-runners)" and "[Using labels with self-hosted runners](/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners){% else %}"[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idruns-on){% endif %}."
|
||||
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}You must ensure that Git is in the PATH variable on your self-hosted runners.{% else %}If you use a self-hosted runner, you must ensure that Git is in the PATH variable.{% endif %}
|
||||
You must ensure that Git is in the PATH variable on your self-hosted runners.
|
||||
|
||||
### Changing the languages that are analyzed
|
||||
|
||||
@@ -157,48 +154,6 @@ If your workflow does not contain a matrix called `language`, then {% data varia
|
||||
with:
|
||||
languages: cpp, csharp, python
|
||||
```
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
### Analyzing Python dependencies
|
||||
|
||||
For GitHub-hosted runners that use Linux only, the {% data variables.product.prodname_codeql_workflow %} will try to auto-install Python dependencies to give more results for the CodeQL analysis. You can control this behavior by specifying the `setup-python-dependencies` parameter for the action called by the "Initialize CodeQL" step. By default, this parameter is set to `true`:
|
||||
|
||||
- If the repository contains code written in Python, the "Initialize CodeQL" step installs the necessary dependencies on the GitHub-hosted runner. If the auto-install succeeds, the action also sets the environment variable `CODEQL_PYTHON` to the Python executable file that includes the dependencies.
|
||||
|
||||
- If the repository doesn't have any Python dependencies, or the dependencies are specified in an unexpected way, you'll get a warning and the action will continue with the remaining jobs. The action can run successfully even when there are problems interpreting dependencies, but the results may be incomplete.
|
||||
|
||||
Alternatively, you can install Python dependencies manually on any operating system. You will need to add `setup-python-dependencies` and set it to `false`, as well as set `CODEQL_PYTHON` to the Python executable that includes the dependencies, as shown in this workflow extract:
|
||||
|
||||
```yaml
|
||||
jobs:
|
||||
CodeQL-Build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
if [ -f requirements.txt ];
|
||||
then pip install -r requirements.txt;
|
||||
fi
|
||||
# Set the `CODEQL-PYTHON` environment variable to the Python executable
|
||||
# that includes the dependencies
|
||||
echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v1
|
||||
with:
|
||||
languages: python
|
||||
# Override the default behavior so that the action doesn't attempt
|
||||
# to auto-install Python dependencies
|
||||
setup-python-dependencies: false
|
||||
```
|
||||
{% endif %}
|
||||
|
||||
### Running additional queries
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta-codeql-runner %}
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
@@ -9,6 +9,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
|
||||
@@ -30,10 +31,7 @@ If your workflow uses a `language` matrix, `autobuild` attempts to build each of
|
||||
|
||||
{% note %}
|
||||
|
||||
{% if currentVersion == "github-ae@latest" %}**Note**: For instructions on how to make sure your {% data variables.actions.hosted_runner %} has the required software installed, see "[Creating custom images](/actions/using-github-hosted-runners/creating-custom-images)."
|
||||
{% else %}
|
||||
**Note**: If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. For more information, see "[Specifications for {% data variables.product.prodname_dotcom %}-hosted runners](/actions/reference/specifications-for-github-hosted-runners/#supported-software)".
|
||||
{% endif %}
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
### Table of Contents
|
||||
|
||||
|
||||
@@ -9,4 +9,4 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
---
|
||||
title: Managing code scanning alerts for your repository
|
||||
shortTitle: Managing alerts
|
||||
intro: 'From the security view, you can view, fix, {% if currentVersion == "enterprise-server@2.22" %}or close{% else %}dismiss, or delete{% endif %} alerts for potential vulnerabilities or errors in your project''s code.'
|
||||
intro: 'From the security view, you can view, fix, or close alerts for potential vulnerabilities or errors in your project''s code.'
|
||||
product: '{% data reusables.gated-features.code-scanning %}'
|
||||
permissions: 'If you have write permission to a repository you can manage {% data variables.product.prodname_code_scanning %} alerts for that repository.'
|
||||
versions:
|
||||
enterprise-server: '2.22'
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
@@ -48,82 +49,25 @@ You need write permission to view a summary of all the alerts for a repository o
|
||||
|
||||
Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %}](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning)" and "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)."
|
||||
|
||||
If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking **Closed**. For more information, see "[Viewing the alerts for a repository](#viewing-the-alerts-for-a-repository)." The "Closed" list shows fixed alerts and alerts that users have {% if currentVersion == "enterprise-server@2.22" %}closed{% else %}dismissed{% endif %}.
|
||||
If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking **Closed**. For more information, see "[Viewing the alerts for a repository](#viewing-the-alerts-for-a-repository)." The "Closed" list shows fixed alerts and alerts that users have closed.
|
||||
|
||||
Alerts may be fixed in one branch but not in another. You can use the "Branch" drop-down menu, on the summary of alerts, to check whether an alert is fixed in a particular branch.
|
||||
|
||||
|
||||
|
||||
{% if currentVersion == "enterprise-server@2.22" %}
|
||||
|
||||
### Closing an alert
|
||||
|
||||
Closing an alert is a way to resolve an alert that you don't think needs to be fixed. {% data reusables.code-scanning.close-alert-examples %}
|
||||
|
||||
{% else %}
|
||||
|
||||
### Dismissing or deleting alerts
|
||||
|
||||
There are two ways of closing an alert. You can fix the problem in the code, or you can dismiss the alert. Alternatively, if you have admin permissions for the repository, you can delete alerts. Deleting alerts is useful in situations where you have set up a {% data variables.product.prodname_code_scanning %} tool and then decided to remove it, or where you have configured {% data variables.product.prodname_codeql %} analysis with a larger set of queries than you want to continue using, and you've then removed some queries from the tool. In both cases, deleting alerts allows you to clean up your {% data variables.product.prodname_code_scanning %} results. You can delete alerts from the summary list within the **Security** tab.
|
||||
|
||||
Dismissing an alert is a way of closing an alert that you don't think needs to be fixed. {% data reusables.code-scanning.close-alert-examples %} You can dismiss alerts from {% data variables.product.prodname_code_scanning %} annotations in code, or from the summary list within the **Security** tab.
|
||||
|
||||
When you dismiss an alert:
|
||||
|
||||
- It's dismissed in all branches.
|
||||
- The alert is removed from the number of current alerts for your project.
|
||||
- The alert is moved to the "Closed" list in the summary of alerts, from where you can reopen it, if required.
|
||||
- The reason why you closed the alert is recorded.
|
||||
- Next time {% data variables.product.prodname_code_scanning %} runs, the same code won't generate an alert.
|
||||
|
||||
When you delete an alert:
|
||||
|
||||
- It's deleted in all branches.
|
||||
- The alert is removed from the number of current alerts for your project.
|
||||
- It is _not_ added to the "Closed" list in the summary of alerts.
|
||||
- If the code that generated the alert stays the same, and the same {% data variables.product.prodname_code_scanning %} tool runs again without any configuration changes, the alert will be shown again in your analysis results.
|
||||
|
||||
To dismiss or delete alerts:
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
{% data reusables.repositories.sidebar-code-scanning-alerts %}
|
||||
{% if currentVersion == "enterprise-server@2.22" %}
|
||||
{% data reusables.code-scanning.click-alert-in-list %}
|
||||
1. Select the **Close** drop-down menu and click a reason for closing the alert.
|
||||
|
||||
|
||||
{% data reusables.code-scanning.false-positive-fix-codeql %}
|
||||
|
||||
{% else %}
|
||||
|
||||
1. If you have admin permissions for the repository, and you want to delete alerts for this {% data variables.product.prodname_code_scanning %} tool, select some or all of the check boxes and click **Delete**.
|
||||
|
||||
|
||||
|
||||
Optionally, you can use the filters to display a subset of alerts and then delete all matching alerts at once. For example, if you have removed a query from {% data variables.product.prodname_codeql %} analysis, you can use the "Rule" filter to list just the alerts for that query and then select and delete all of those alerts.
|
||||
|
||||
|
||||
|
||||
1. If you want to dismiss an alert, it's important to explore the alert first, so that you can choose the correct dismissal reason. Click the alert you'd like to explore.
|
||||
|
||||
|
||||
|
||||
1. Review the alert, then click **Dismiss** and choose a reason for closing the alert.
|
||||
|
||||
|
||||
{% data reusables.code-scanning.choose-alert-dismissal-reason %}
|
||||
|
||||
{% data reusables.code-scanning.false-positive-fix-codeql %}
|
||||
|
||||
#### Dismissing multiple alerts at once
|
||||
|
||||
If a project has multiple alerts that you want to dismiss for the same reason, you can bulk dismiss them from the summary of alerts. Typically, you'll want to filter the list and then dismiss all of the matching alerts. For example, you might want to dismiss all of the current alerts in the project that have been tagged for a particular Common Weakness Enumeration (CWE) vulnerability.
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Further reading
|
||||
|
||||
- "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)"
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
<!--UI-LINK: When GitHub Enterprise Server doesn't have GitHub Actions set up, the Security > Code scanning alerts view links to this article.-->
|
||||
|
||||
{% data reusables.code-scanning.beta-codeql-runner %}
|
||||
@@ -29,17 +30,13 @@ The {% data variables.product.prodname_codeql_runner %} is a command-line tool t
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
* The {% data variables.product.prodname_codeql_runner %} uses the {% data variables.product.prodname_codeql %} CLI to analyze code and therefore has the same license conditions. It's free to use on public repositories that are maintained on {% data variables.product.prodname_dotcom_the_website %}, and available to use on private repositories that are owned by customers with an {% data variables.product.prodname_advanced_security %} license. For information, see "[{% data variables.product.product_name %} {% data variables.product.prodname_codeql %} Terms and Conditions](https://securitylab.github.com/tools/codeql/license)" and "[{% data variables.product.prodname_codeql %} CLI](https://codeql.github.com/docs/codeql-cli/)."
|
||||
{% else %}
|
||||
* The {% data variables.product.prodname_codeql_runner %} is available to customers with an {% data variables.product.prodname_advanced_security %} license.
|
||||
{% endif %}
|
||||
* The {% data variables.product.prodname_codeql_runner %} shouldn't be confused with the {% data variables.product.prodname_codeql %} CLI. The {% data variables.product.prodname_codeql %} CLI is an interactive command-line interface that lets you create {% data variables.product.prodname_codeql %} databases for security research and run {% data variables.product.prodname_codeql %} queries. For more information, see "[{% data variables.product.prodname_codeql %} CLI](https://codeql.github.com/docs/codeql-cli/)."
|
||||
{% endnote %}
|
||||
|
||||
### Downloading the {% data variables.product.prodname_codeql_runner %}
|
||||
|
||||
You can download the {% data variables.product.prodname_codeql_runner %} from https://{% if currentVersion == "enterprise-server@2.22" or currentVersion == "free-pro-team@latest" %}github.com{% else %}<em>HOSTNAME</em>{% endif %}/github/codeql-action/releases. On some operating systems, you may need to change permissions for the downloaded file before you can run it.
|
||||
You can download the {% data variables.product.prodname_codeql_runner %} from https://github.com/github/codeql-action/releases. On some operating systems, you may need to change permissions for the downloaded file before you can run it.
|
||||
|
||||
On Linux:
|
||||
|
||||
@@ -61,7 +58,7 @@ On Windows, the `codeql-runner-win.exe` file usually requires no change to permi
|
||||
Once you download the {% data variables.product.prodname_codeql_runner %} and verify that it can be executed, you should make the runner available to each CI server that you intend to use for {% data variables.product.prodname_code_scanning %}. For example, you might configure each server to copy the runner from a central, internal location. Alternatively, you could use the REST API to get the runner directly from {% data variables.product.prodname_dotcom %}, for example:
|
||||
|
||||
```shell
|
||||
wget https://{% if currentVersion == "enterprise-server@2.22" or currentVersion == "free-pro-team@latest" %}github.com{% else %}<em>HOSTNAME</em>{% endif %}/github/codeql-action/releases/latest/download/codeql-runner-linux
|
||||
wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux
|
||||
chmod +x codeql-runner-linux
|
||||
```
|
||||
|
||||
@@ -72,9 +69,8 @@ In addition to this, each CI server also needs:
|
||||
|
||||
The options for providing access to the {% data variables.product.prodname_codeql %} bundle are:
|
||||
|
||||
1. Allow the CI servers access to https://{% if currentVersion == "enterprise-server@2.22" or currentVersion == "free-pro-team@latest" %}github.com{% else %}<em>HOSTNAME</em>{% endif %}/github/codeql-action so that the {% data variables.product.prodname_codeql_runner %} can download the bundle automatically.
|
||||
{% if currentVersion == "enterprise-server@2.22" %}
|
||||
1. Mirror the `github/codeql-action` repository on {% data variables.product.product_name %}. Unless you specify the <nobr>`--codeql-path`</nobr> flag, the runner automatically checks for the bundle in this location and on {% data variables.product.prodname_dotcom_the_website %}.{% endif %}
|
||||
1. Allow the CI servers access to https://github.com/github/codeql-action so that the {% data variables.product.prodname_codeql_runner %} can download the bundle automatically.
|
||||
1. Mirror the `github/codeql-action` repository on {% data variables.product.product_name %}. Unless you specify the <nobr>`--codeql-path`</nobr> flag, the runner automatically checks for the bundle in this location and on {% data variables.product.prodname_dotcom_the_website %}.
|
||||
1. Manually download/extract the bundle, store it with other central resources, and use the <nobr>`--codeql-path`</nobr> flag to specify the location of the bundle in calls to initialize the {% data variables.product.prodname_codeql_runner %}.
|
||||
|
||||
### Calling the {% data variables.product.prodname_codeql_runner %}
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
|
||||
@@ -21,14 +22,12 @@ You decide how to generate {% data variables.product.prodname_code_scanning %} a
|
||||
|
||||
### Setting up {% data variables.product.prodname_code_scanning %} using actions
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}Using actions to run {% data variables.product.prodname_code_scanning %} will use minutes. For more information, see "[About billing for {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-actions)."{% endif %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
3. To the right of "{% data variables.product.prodname_code_scanning_capc %} alerts", click **Set up {% data variables.product.prodname_code_scanning %}**. {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}If {% data variables.product.prodname_code_scanning %} is missing, you need to ask an organization owner or repository administrator to enable {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[Managing security and analysis settings for your organization](/organizations/collaborating-with-groups-in-organizations/managing-security-and-analysis-settings-for-your-organization)" or "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)."{% endif %}
|
||||
3. To the right of "{% data variables.product.prodname_code_scanning_capc %} alerts", click **Set up {% data variables.product.prodname_code_scanning %}**.
|
||||
|
||||
4. Under "Get started with {% data variables.product.prodname_code_scanning %}", click **Set up this workflow** on the {% data variables.product.prodname_codeql_workflow %} or on a third-party workflow.
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}Workflows are only displayed if they are relevant for the programming languages detected in the repository. The {% data variables.product.prodname_codeql_workflow %} is always displayed, but the "Set up this workflow" button is only enabled if {% data variables.product.prodname_codeql %} analysis supports the languages present in the repository.{% endif %}
|
||||
|
||||
5. To customize how {% data variables.product.prodname_code_scanning %} scans your code, edit the workflow.
|
||||
|
||||
Generally you can commit the {% data variables.product.prodname_codeql_workflow %} without making any changes to it. However, many of the third-party workflows require additional configuration, so read the comments in the workflow before committing.
|
||||
|
||||
@@ -9,6 +9,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
@@ -16,7 +17,7 @@ topics:
|
||||
|
||||
In repositories where {% data variables.product.prodname_code_scanning %} is configured as a pull request check, {% data variables.product.prodname_code_scanning %} checks the code in the pull request. By default, this is limited to pull requests that target the default branch, but you can change this configuration within {% data variables.product.prodname_actions %} or in a third-party CI/CD system. If merging the changes would introduce new {% data variables.product.prodname_code_scanning %} alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the **Files changed** tab of the pull request. If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)."
|
||||
|
||||
If {% data variables.product.prodname_code_scanning %} has any results with a severity of `error`, the check fails and the error is reported in the check results. If all the results found by {% data variables.product.prodname_code_scanning %} have lower severities, the alerts are treated as warnings or notices and the check succeeds. If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then you must either fix or {% if currentVersion == "enterprise-server@2.22" %}close{% else %}dismiss{% endif %} all error alerts before the pull request can be merged. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)."
|
||||
If {% data variables.product.prodname_code_scanning %} has any results with a severity of `error`, the check fails and the error is reported in the check results. If all the results found by {% data variables.product.prodname_code_scanning %} have lower severities, the alerts are treated as warnings or notices and the check succeeds. If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then you must either fix or close all error alerts before the pull request can be merged. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)."
|
||||
|
||||
|
||||
|
||||
@@ -40,28 +41,10 @@ In the detailed view for an alert, some {% data variables.product.prodname_code_
|
||||
|
||||
|
||||
|
||||
### {% if currentVersion == "enterprise-server@2.22" %}Resolving{% else %}Fixing{% endif %} an alert on your pull request
|
||||
### Resolving an alert on your pull request
|
||||
|
||||
Anyone with push access to a pull request can fix a {% data variables.product.prodname_code_scanning %} alert that's identified on that pull request. If you commit changes to the pull request this triggers a new run of the pull request checks. If your changes fix the problem, the alert is closed and the annotation removed.
|
||||
|
||||
{% if currentVersion == "enterprise-server@2.22" %}
|
||||
|
||||
If you don't think that an alert needs to be fixed, users with write permission can close the alert manually. {% data reusables.code-scanning.close-alert-examples %} The **Close** button is available in annotations and in the alerts view if you have write permission for the repository.
|
||||
|
||||
{% data reusables.code-scanning.false-positive-fix-codeql %}
|
||||
|
||||
{% else %}
|
||||
|
||||
### Dismissing an alert on your pull request
|
||||
|
||||
An alternative way of closing an alert is to dismiss it. You can dismiss an alert if you don't think it needs to be fixed. {% data reusables.code-scanning.close-alert-examples %} If you have write permission for the repository, the **Dismiss** button is available in code annotations and in the alerts summary. When you click **Dismiss** you will be prompted to choose a reason for closing the alert.
|
||||
|
||||
|
||||
|
||||
{% data reusables.code-scanning.choose-alert-dismissal-reason %}
|
||||
|
||||
{% data reusables.code-scanning.false-positive-fix-codeql %}
|
||||
|
||||
For more information about dismissing alerts, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#dismissing-or-deleting-alerts)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta-codeql-runner %}
|
||||
{% data reusables.code-scanning.beta %}
|
||||
|
||||
@@ -8,6 +8,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.not-available %}
|
||||
@@ -113,24 +114,13 @@ If you split your analysis into multiple workflows as described above, we still
|
||||
|
||||
If your analysis is still too slow to be run during `push` or `pull_request` events, then you may want to only trigger analysis on the `schedule` event. For more information, see "[Events](/actions/learn-github-actions/introduction-to-github-actions#events)."
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
### Results differ between analysis platforms
|
||||
|
||||
If you are analyzing code written in Python, you may see different results depending on whether you run the {% data variables.product.prodname_codeql_workflow %} on Linux, macOS, or Windows.
|
||||
|
||||
On GitHub-hosted runners that use Linux, the {% data variables.product.prodname_codeql_workflow %} tries to install and analyze Python dependencies, which could lead to more results. To disable the auto-install, add `setup-python-dependencies: false` to the "Initialize CodeQL" step of the workflow. For more information about configuring the analysis of Python dependencies, see "[Analyzing Python dependencies](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#analyzing-python-dependencies)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Error: "Server error"
|
||||
|
||||
If the run of a workflow for {% data variables.product.prodname_code_scanning %} fails due to a server error, try running the workflow again. If the problem persists, contact {% data variables.contact.contact_support %}.
|
||||
|
||||
### Error: "Out of disk" or "Out of memory"
|
||||
|
||||
On very large projects, {% data variables.product.prodname_codeql %} may run out of disk or memory on the runner.
|
||||
{% if currentVersion == "free-pro-team@latest" %}If you encounter this issue on a hosted {% data variables.product.prodname_actions %} runner, contact {% data variables.contact.contact_support %} so that we can investigate the problem.
|
||||
{% else %}If you encounter this issue, try increasing the memory on the runner.{% endif %}
|
||||
On very large projects, {% data variables.product.prodname_codeql %} may run out of disk or memory on the runner. If you encounter this issue, try increasing the memory on the runner.
|
||||
|
||||
### Warning: "git checkout HEAD^2 is no longer necessary"
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
{% data reusables.code-scanning.beta %}
|
||||
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
||||
@@ -19,7 +20,7 @@ topics:
|
||||
|
||||
You can generate SARIF files using many static analysis security testing tools, including {% data variables.product.prodname_codeql %}. The results must use SARIF version 2.1.0. For more information, see "[SARIF support for {% data variables.product.prodname_code_scanning %}](/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning)."
|
||||
|
||||
You can upload the results using {% data variables.product.prodname_actions %}{% if currentVersion == "enterprise-server@2.22" %} (available if your organization is taking part in the beta program){% endif %}, the {% data variables.product.prodname_code_scanning %} API, or the {% data variables.product.prodname_codeql_runner %}. The best upload method will depend on how you generate the SARIF file, for example, if you use:
|
||||
You can upload the results using {% data variables.product.prodname_actions %} (available if your organization is taking part in the beta program), the {% data variables.product.prodname_code_scanning %} API, or the {% data variables.product.prodname_codeql_runner %}. The best upload method will depend on how you generate the SARIF file, for example, if you use:
|
||||
|
||||
- {% data variables.product.prodname_actions %} to run the {% data variables.product.prodname_codeql %} action, there is no further action required. The {% data variables.product.prodname_codeql %} action uploads the SARIF file automatically when it completes analysis.
|
||||
- {% data variables.product.prodname_actions %} to run a SARIF-compatible analysis tool, you could update the workflow to include a final step that uploads the results (see below).
|
||||
|
||||
@@ -9,4 +9,4 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
<!--See /content/code-security/secure-coding for the latest version of this article -->
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
---
|
||||
title: About alerts for vulnerable dependencies
|
||||
intro: '{% data variables.product.product_name %} sends {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} when we detect vulnerabilities affecting your repository.'
|
||||
intro: '{% data variables.product.product_name %} sends {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} when we detect vulnerabilities affecting your repository.'
|
||||
versions:
|
||||
enterprise-server: '<=2.22'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
<!--See /content/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies for the current version of this article -->
|
||||
|
||||
### About vulnerable dependencies
|
||||
|
||||
{% data reusables.repositories.a-vulnerability-is %}
|
||||
@@ -15,12 +16,10 @@ When your code depends on a package that has a security vulnerability, this vuln
|
||||
|
||||
### Detection of vulnerable dependencies
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when:
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when:
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
- A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)."{% else %}
|
||||
- New advisory data is synchronized to {% data variables.product.prodname_ghe_server %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
|
||||
- The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% if currentVersion == "free-pro-team@latest" %}, or when the code of one of the dependencies changes{% endif %}. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
|
||||
- New advisory data is synchronized to {% data variables.product.prodname_ghe_server %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}
|
||||
- The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
|
||||
|
||||
{% data reusables.repositories.dependency-review %}
|
||||
|
||||
@@ -32,7 +31,7 @@ For a list of the ecosystems that {% data variables.product.product_name %} can
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" % %}
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" % %}
|
||||
### {% data variables.product.prodname_dependabot %} alerts for vulnerable dependencies
|
||||
{% else %}
|
||||
### Security alerts for vulnerable dependencies
|
||||
@@ -40,23 +39,10 @@ For a list of the ecosystems that {% data variables.product.product_name %} can
|
||||
|
||||
{% data reusables.repositories.enable-security-alerts %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies in _public_ repositories and generates {% data variables.product.prodname_dependabot_alerts %} by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories.
|
||||
|
||||
You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/organizations/collaborating-with-groups-in-organizations/managing-security-and-analysis-settings-for-your-organization)."
|
||||
|
||||
For information about permission requirements for actions related to {% data variables.product.prodname_dependabot_alerts %}, see "[Repository permission levels for an organization](/organizations/collaborating-with-groups-in-organizations/repository-permission-levels-for-an-organization#permission-requirements-for-security-features)."
|
||||
|
||||
{% data variables.product.product_name %} starts generating the dependency graph immediately and generates alerts for any vulnerable dependencies as soon as they are identified. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. For more information, see "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)."
|
||||
{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."
|
||||
{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
|
||||
{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
|
||||
When {% data variables.product.product_name %} identifies a vulnerable dependency, we send a security alert to the maintainers of affected repositories with details of the vulnerability, a link to the affected file in the project, and information about a fixed version.
|
||||
{% endif %}
|
||||
@@ -67,27 +53,15 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc
|
||||
|
||||
{% endwarning %}
|
||||
|
||||
### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts
|
||||
### Access to {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts
|
||||
|
||||
You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %}
|
||||
You can see all of the alerts that affect a particular project in the repository's dependency graph.
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
|
||||
{% endif %}
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
|
||||
We send security alerts to people with admin permissions in the affected repositories by default. {% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository.
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization %}{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.21" %} For more information, see "[Choosing the delivery method for your notifications](/github/receiving-notifications-about-activity-on-github/choosing-the-delivery-method-for-your-notifications)."{% endif %}{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %} For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
You can also see all the {% data variables.product.prodname_dependabot_alerts %} that correspond to a particular vulnerability in the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database#viewing-your-vulnerable-repositories)."
|
||||
{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
### Further reading
|
||||
|
||||
- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)"
|
||||
- "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
|
||||
- "[Understanding how {% data variables.product.product_name %} uses and protects your data](/categories/understanding-how-github-uses-and-protects-your-data)"{% endif %}
|
||||
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization %}{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.21" %} For more information, see "[Choosing the delivery method for your notifications](/github/receiving-notifications-about-activity-on-github/choosing-the-delivery-method-for-your-notifications)."{% endif %}{% if currentVersion ver_gt "enterprise-server@2.20" %} For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)."{% endif %}
|
||||
|
||||
@@ -1,20 +1,17 @@
|
||||
---
|
||||
title: Configuring notifications for vulnerable dependencies
|
||||
shortTitle: Configuring notifications
|
||||
intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.'
|
||||
intro: 'Optimize how you receive notifications about {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.'
|
||||
versions:
|
||||
enterprise-server: '>=2.21 <=2.22'
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
<!--See /content/code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies for the current version of this article -->
|
||||
|
||||
### About notifications for vulnerable dependencies
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability.
|
||||
{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/organizations/collaborating-with-groups-in-organizations/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added)."
|
||||
{% endif %}
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion == "enterprise-server@2.21" %}
|
||||
Your site administrator needs to enable security alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use the feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
@@ -26,14 +23,14 @@ By default, if your site administrator has configured email for notifications on
|
||||
|
||||
{% if currentVersion ver_lt "enterprise-server@2.22" %}Site administrators can also enable security alerts without notifications. For more information, see "[Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
|
||||
### Configuring notifications for {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}
|
||||
### Configuring notifications for {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}
|
||||
|
||||
You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see "[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#choosing-your-notification-settings)."
|
||||
|
||||
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization %}
|
||||
{% data reusables.notifications.vulnerable-dependency-notification-options %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
|
||||
{% else %}
|
||||
|
||||
@@ -45,11 +42,11 @@ You can configure notification settings for yourself or your organization from t
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.19" % %}{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}"[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#filtering-email-notifications){% else %}"[About email notifications](/github/receiving-notifications-about-activity-on-github/about-email-notifications){% endif %}."{% endif %}
|
||||
{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see "[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#filtering-email-notifications)."
|
||||
|
||||
### How to reduce the noise from notifications for vulnerable dependencies
|
||||
|
||||
If you are concerned about receiving too many notifications for {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} enabled. You can still navigate to see your {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} in your repository's Security tab.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %}
|
||||
If you are concerned about receiving too many notifications for {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} enabled. You can still navigate to see your {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} in your repository's Security tab.
|
||||
|
||||
### Further reading
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
<!--See /content/code-security/supply-chain-security for the current version of this article -->
|
||||
|
||||
### Table of Contents
|
||||
{% topic_link_in_list /managing-vulnerabilities-in-your-projects-dependencies %}
|
||||
|
||||
@@ -7,4 +7,4 @@ versions:
|
||||
topics:
|
||||
- security
|
||||
---
|
||||
|
||||
<!--See content/code-security/supply-chain-security for the current version of this article -->
|
||||
|
||||
@@ -1,25 +1,24 @@
|
||||
---
|
||||
title: Managing your theme settings
|
||||
intro: 'You can manage how {% data variables.product.product_name %} looks to you by setting a theme preference that either follows your system settings or always uses light mode or dark mode.'
|
||||
intro: 'You can manage how {% data variables.product.product_name %} looks to you by setting a theme preference that either follows your system settings or always uses a light or dark mode.'
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- accounts
|
||||
---
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** Theme settings is currently in beta and subject to change.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
For choice and flexibility in how and when you use {% data variables.product.product_name %}, you can configure theme settings to change how {% data variables.product.product_name %} looks to you. You can choose from two themes, light and dark, or you can configure {% data variables.product.product_name %} to follow your system settings. Some developers use dark theme for personal preference, to reduce power consumption on certain devices, or to reduce eye strain in low-light conditions.
|
||||
For choice and flexibility in how and when you use {% data variables.product.product_name %}, you can configure theme settings to change how {% data variables.product.product_name %} looks to you. You can choose from themes that are light or dark, or you can configure {% data variables.product.product_name %} to follow your system settings. You may want to use a dark theme to reduce power consumption on certain devices, to reduce eye strain in low-light conditions, or because you prefer how the theme looks.
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
1. In the user settings sidebar, click **Appearance**.
|
||||
|
||||
1. Under "Theme", select a theme preference.
|
||||
|
||||
1. Under "Theme mode", select the drop-down menu, then click a theme preference.
|
||||
|
||||
1. Click the theme you'd like to use.
|
||||
- If you chose a single theme, click a theme.
|
||||
|
||||
- If you chose to follow your system settings, click a day theme and a night theme.
|
||||
|
||||
|
||||
### Further reading
|
||||
|
||||
|
||||
@@ -9,6 +9,8 @@ topics:
|
||||
- legal
|
||||
---
|
||||
|
||||
_These terms apply to 1) GitHub.com (non-Enterprise) customers who have accepted the Corporate Terms of Service, and 2) Enterprise customers who licensed the Service prior to January 4, 2021. Enterprise customers who purchase Products or Services after that date are directed to https://github.com/enterprise-legal for current terms._
|
||||
|
||||
THANK YOU FOR CHOOSING GITHUB FOR YOUR COMPANY’S BUSINESS NEEDS. PLEASE READ THIS AGREEMENT CAREFULLY AS IT GOVERNS USE OF THE PRODUCTS (AS DEFINED BELOW), UNLESS GITHUB HAS EXECUTED A SEPARATE WRITTEN AGREEMENT WITH CUSTOMER FOR THAT PURPOSE.
|
||||
BY CLICKING ON THE "I AGREE" OR SIMILAR BUTTON OR BY ACCESSING THE PRODUCTS, CUSTOMER ACCEPTS ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF CUSTOMER IS ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, CUSTOMER REPRESENTS THAT IT HAS THE LEGAL AUTHORITY TO BIND THE COMPANY OR OTHER LEGAL ENTITY TO THIS AGREEMENT.
|
||||
|
||||
|
||||
@@ -6,25 +6,19 @@ versions:
|
||||
topics:
|
||||
- repositories
|
||||
---
|
||||
<!--See /content/code-security/supply-chain-security/about-the-dependency-graph for the latest version of this article -->
|
||||
|
||||
### Dependency graph availability
|
||||
|
||||
The dependency graph is available for every{% if currentVersion == "free-pro-team@latest" %} public{% endif %} repository that defines dependencies in a supported package ecosystem using a supported file format.{% if currentVersion == "free-pro-team@latest" %} Repository administrators can also set up the dependency graph for private repositories.{% endif %}
|
||||
The dependency graph is available for every repository that defines dependencies in a supported package ecosystem using a supported file format.
|
||||
|
||||
{% data reusables.repositories.enable-security-alerts %}
|
||||
|
||||
### About the dependency graph
|
||||
|
||||
The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows{% if currentVersion == "free-pro-team@latest" %}:
|
||||
The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.prodname_ghe_server %} does not calculate information about dependents, the repositories and packages that depend on a repository.
|
||||
|
||||
- Dependencies, the ecosystems and packages it depends on
|
||||
- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.prodname_ghe_server %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
|
||||
|
||||
When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated.{% if currentVersion == "free-pro-team@latest" %} In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.{% endif %} For information on the supported ecosystems and manifest files, see "[Supported package ecosystems](#supported-package-ecosystems)" below.
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see "[Reviewing dependency changes in a pull request](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request)."
|
||||
{% endif %}
|
||||
When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated. For information on the supported ecosystems and manifest files, see "[Supported package ecosystems](#supported-package-ecosystems)" below.
|
||||
|
||||
### Dependencies included
|
||||
|
||||
@@ -33,40 +27,30 @@ The dependency graph includes all the dependencies of a repository that are deta
|
||||
- Direct dependencies, that are explicitly defined in a manifest or lock file
|
||||
- Indirect dependencies of these direct dependencies, also known as transitive dependencies or sub-dependencies
|
||||
|
||||
The dependency graph identifies indirect dependencies{% if currentVersion == "free-pro-team@latest" %} either explicitly from a lock file or by checking the dependencies of your direct dependencies. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}.
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
### Dependents included
|
||||
|
||||
For public repositories, only public repositories that depend on it or on packages that it publishes are reported. This information is not reported for private repositories.{% endif %}
|
||||
The dependency graph identifies indirect dependencies.
|
||||
|
||||
### Using the dependency graph
|
||||
|
||||
You can use the dependency graph to:
|
||||
|
||||
- Explore the repositories your code depends on{% if currentVersion == "free-pro-team@latest" %}, and those that depend on it{% endif %}. For more information, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)." {% if currentVersion == "free-pro-team@latest" %}
|
||||
- View a summary of the dependencies used in your organization's repositories in a single dashboard. For more information, see "[Viewing insights for your organization](/articles/viewing-insights-for-your-organization#viewing-organization-dependency-insights)."{% endif %}
|
||||
- View and update vulnerable dependencies for your repository. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."{% if currentVersion == "free-pro-team@latest" %}
|
||||
- See information about vulnerable dependencies in pull requests. For more information, see "[Reviewing dependency changes in a pull request](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request)."{% endif %}
|
||||
- Explore the repositories your code depends on. For more information, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."
|
||||
- View and update vulnerable dependencies for your repository. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
|
||||
|
||||
### Enabling the dependency graph
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For information about enabling or disabling it for private repositories, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} If the dependency graph is not available in your system, your site administrator can enable the dependency graph and security alerts. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% if currentVersion == "free-pro-team@latest" %} and every push to other repositories in the graph{% endif %}.
|
||||
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository.
|
||||
|
||||
### Supported package ecosystems
|
||||
|
||||
The recommended formats explicitly define which versions are used for all direct and all indirect dependencies. If you use these formats, your dependency graph is more accurate. It also reflects the current build set up and enables the dependency graph to report vulnerabilities in both direct and indirect dependencies.{% if currentVersion == "free-pro-team@latest" %} Indirect dependencies that are inferred from a manifest file (or equivalent) are excluded from the checks for vulnerable dependencies.{% endif %}
|
||||
The recommended formats explicitly define which versions are used for all direct and all indirect dependencies. If you use these formats, your dependency graph is more accurate. It also reflects the current build set up and enables the dependency graph to report vulnerabilities in both direct and indirect dependencies.
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}The ecosystems listed below are supported for the dependency graph, {% data variables.product.prodname_dependabot_alerts %}, and {% data variables.product.prodname_dependabot_security_updates %}.{% endif %}
|
||||
{% if currentVersion ver_gt "enterprise-server@2.21" %}The ecosystems listed below are supported for the dependency graph and {% data variables.product.prodname_dependabot_alerts %}.{% endif %}
|
||||
The ecosystems listed below are supported for the dependency graph and {% if currentVersion == "enterprise-server@2.22" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}.
|
||||
|
||||
| Package manager | Languages | Recommended formats | All supported formats |
|
||||
| --- | --- | --- | ---|
|
||||
@@ -87,7 +71,4 @@ The recommended formats explicitly define which versions are used for all direct
|
||||
### Further reading
|
||||
|
||||
- "[Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph)" on Wikipedia
|
||||
- "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)"{% if currentVersion == "free-pro-team@latest" %}
|
||||
- "[Viewing insights for your organization](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-your-organization)"
|
||||
- "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
|
||||
- "[Troubleshooting the detection of vulnerable dependencies](/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies)"{% endif %}
|
||||
- "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)"
|
||||
|
||||
@@ -6,30 +6,20 @@ versions:
|
||||
topics:
|
||||
- repositories
|
||||
---
|
||||
<!--See /content/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository for the latest version of this article -->
|
||||
|
||||
### Viewing the dependency graph
|
||||
|
||||
{% data reusables.repositories.enable-security-alerts %}
|
||||
|
||||
The dependency graph shows the dependencies{% if currentVersion == "free-pro-team@latest" %} and dependents{% endif %} of your repository. For information about the detection of dependencies and which ecosystems are supported, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
|
||||
The dependency graph shows the dependencies of your repository. For information about the detection of dependencies and which ecosystems are supported, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.accessing-repository-graphs %}
|
||||
{% data reusables.repositories.click-dependency-graph %}{% if currentVersion == "free-pro-team@latest" %}
|
||||
4. Optionally, under "Dependency graph", click **Dependents**.
|
||||
{% endif %}
|
||||
{% data reusables.repositories.click-dependency-graph %}
|
||||
|
||||
#### Dependencies view
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
Dependencies are grouped by ecosystem. You can expand a dependency to view its dependencies. For dependencies on public repositories hosted on {% data variables.product.product_name %}, you can also click a dependency to view the repository. Dependencies on private repositories, private packages, or unrecognized files are shown in plain text.
|
||||
|
||||
If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}
|
||||
Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
|
||||
|
||||
@@ -56,60 +46,8 @@ Any direct and indirect dependencies that are specified in the repository's mani
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
#### Dependents view
|
||||
|
||||
For public repositories, the dependents view shows how the repository is used by other repositories. To show only the repositories that contain a library in a package manager, click **NUMBER Packages** immediately above the list of dependent repositories. The dependent counts are approximate and may not always match the dependents listed.
|
||||
|
||||
|
||||
|
||||
### Enabling and disabling the dependency graph for a private repository
|
||||
|
||||
Repository administrators can enable or disable the dependency graph for private repositories.
|
||||
|
||||
You can also enable or disable the dependency graph for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](//organizations/collaborating-with-groups-in-organizations/managing-security-and-analysis-settings-for-your-organization)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-security-and-analysis %}
|
||||
4. Read the message about granting {% data variables.product.product_name %} read-only access to the repository data to enable the dependency graph, then next to "Dependency Graph", click **Enable**.
|
||||
|
||||
|
||||
You can disable the dependency graph at any time by clicking **Disable** next to "Dependency Graph" on the Security & analysis tab.
|
||||
|
||||
### Changing the "Used by" package
|
||||
|
||||
If the dependency graph is enabled, and your repository contains a package that's published on a supported package ecosystem, {% data variables.product.prodname_dotcom %} displays a "Used by" section in the sidebar of the **Code** tab of your repository. For more information about the supported package ecosystems, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)."
|
||||
|
||||
The "Used by" section shows the number of public references to the package that were found, and displays the avatars of some of the owners of the dependent projects.
|
||||
|
||||
|
||||
|
||||
Clicking any item in this section takes you to the **Dependents** tab of the dependency graph.
|
||||
|
||||
The "Used by" section represents a single package from the repository. If you have admin permissions to a repository that contains multiple packages, you can choose which package the "Used by" section represents.
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-security-and-analysis %}
|
||||
4. Under "Configure security and analysis features", click the drop-down menu in the "Used by counter" section and choose a package.
|
||||
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Troubleshooting the dependency graph
|
||||
|
||||
If your dependency graph is empty, there may be a problem with the file containing your dependencies. Check the file to ensure that it's correctly formatted for the file type.
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
If the file is correctly formatted, then check its size. The dependency graph ignores individual manifest and lock files that are over 0.5 Mb, unless you are a {% data variables.product.prodname_enterprise %} user. It processes up to 20 manifest or lock files per repository by default, so you can split dependencies into smaller files in subdirectories of the repository.{% endif %}
|
||||
|
||||
If a manifest or lock file is not processed, its dependencies are omitted from the dependency graph and they can't be checked for vulnerable dependencies.
|
||||
|
||||
### Further reading
|
||||
|
||||
- "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"{% if currentVersion == "free-pro-team@latest" %}
|
||||
- "[Viewing insights for your organization](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-your-organization)"
|
||||
- "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
|
||||
- "[Understanding how {% data variables.product.product_name %} uses and protects your data](/github/understanding-how-github-uses-and-protects-your-data)"
|
||||
{% endif %}
|
||||
|
||||
Reference in New Issue
Block a user