From 179307db8a0bc55a444e8e317f27e3a729cc90fb Mon Sep 17 00:00:00 2001 From: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Date: Mon, 21 Aug 2023 10:32:42 -0400 Subject: [PATCH] Reorganize the code scanning docs into map topics that align with user journeys (#40424) Co-authored-by: Felicity Chapman --- ...ale-sets-with-actions-runner-controller.md | 2 +- .../security-hardening-for-github-actions.md | 2 +- .../audit-log-events-for-your-enterprise.md | 2 +- .../canceling-a-github-marketplace-app.md | 5 +-- ...lling-plan-for-a-github-marketplace-app.md | 5 +-- .../phase-2-preparing-to-enable-at-scale.md | 2 +- .../phase-3-pilot-programs.md | 4 +- ...-for-code-scanning-with-codeql-at-scale.md | 36 ---------------- .../index.md | 35 --------------- ...ql-code-scanning-for-compiled-languages.md | 12 ++++-- ...-for-code-scanning-with-codeql-at-scale.md | 38 ++++++++++++++++ ...guring-advanced-setup-for-code-scanning.md | 24 ++++++----- ...-your-advanced-setup-for-code-scanning.md} | 40 ++++++++--------- .../index.md | 21 +++++++++ ...d-hardware-resources-for-running-codeql.md | 2 + ...ing-codeql-code-scanning-in-a-container.md | 3 +- ...efault-setup-for-code-scanning-at-scale.md | 13 +++--- ...iguring-default-setup-for-code-scanning.md | 15 ++++--- .../enabling-code-scanning/index.md | 15 +++++++ content/code-security/code-scanning/index.md | 7 ++- .../about-integration-with-code-scanning.md | 4 +- .../sarif-support-for-code-scanning.md | 4 +- .../uploading-a-sarif-file-to-github.md | 2 +- .../about-code-scanning-with-codeql.md | 11 ++--- .../about-code-scanning.md | 13 +++--- .../introduction-to-code-scanning/index.md | 22 ++++++++++ .../about-code-scanning-alerts.md | 14 +++--- .../managing-code-scanning-alerts/index.md | 20 +++++++++ ...ode-scanning-alerts-for-your-repository.md | 23 +++++----- ...nning-alerts-in-issues-using-task-lists.md | 32 +++++++++----- ...g-code-scanning-alerts-in-pull-requests.md | 15 ++++--- .../about-the-tool-status-page.md | 10 +++-- .../built-in-codeql-query-suites.md | 8 ++-- ...ing-your-configuration-of-default-setup.md | 43 +++++++++++++++++++ .../index.md | 20 +++++++++ .../viewing-code-scanning-logs.md | 9 ++-- ...nguage-is-causing-default-setup-to-fail.md | 4 +- ...ic-build-failed-for-a-compiled-language.md | 4 +- .../build-is-taking-too-long.md | 4 +- ...odeql-scanned-fewer-lines-than-expected.md | 2 +- .../enabling-default-setup-takes-too-long.md | 2 +- .../no-source-code-seen-during-build.md | 8 ++-- .../out-of-disk-or-memory.md | 4 +- .../results-are-different-than-expected.md | 2 +- .../results-differ-between-platforms.md | 2 +- .../unclear-what-triggered-a-workflow-run.md | 2 +- .../unnecessary-step-found.md | 2 +- .../troubleshooting-sarif/file-too-large.md | 20 ++++----- ...-codeql-code-scanning-in-your-ci-system.md | 2 +- ...onfiguring-codeql-cli-in-your-ci-system.md | 16 +++---- ...installing-codeql-cli-in-your-ci-system.md | 4 +- .../codeql-cli-manual/database-create.md | 2 +- .../codeql-cli-manual/database-init.md | 2 +- .../about-the-codeql-cli.md | 16 +++---- ...analyzing-your-code-with-codeql-queries.md | 6 +-- .../customizing-analysis-with-codeql-packs.md | 12 +++--- ...preparing-your-code-for-codeql-analysis.md | 14 +++--- ...ading-codeql-analysis-results-to-github.md | 4 +- .../publishing-and-using-codeql-packs.md | 8 ++-- .../auditing-security-alerts.md | 2 +- .../github-security-features.md | 2 +- .../securing-your-repository.md | 6 +-- content/code-security/guides.md | 28 ++++++------ content/code-security/index.md | 12 +++--- .../about-security-overview.md | 2 +- .../end-to-end-supply-chain/securing-code.md | 4 +- .../syntax-for-issue-forms.md | 1 - .../using-github-copilot-chat.md | 12 +++--- ...checking-out-a-commit-in-github-desktop.md | 7 ++- ...erry-picking-a-commit-in-github-desktop.md | 7 ++- ...ring-a-default-editor-in-github-desktop.md | 5 +-- .../about-github-advanced-security.md | 4 +- .../about-task-lists.md | 2 +- .../audit-log-events-for-your-organization.md | 2 +- ...analysis-settings-for-your-organization.md | 4 +- .../repository-roles-for-an-organization.md | 4 +- .../viewing-a-pull-request-review.md | 2 +- data/reusables/actions/oidc-endpoints.md | 4 +- .../actions/starter-workflow-categories.md | 2 +- .../required-workflow-source-notes.md | 2 +- data/reusables/apps/app-scans.md | 2 +- .../about-multiple-configurations-link.md | 4 +- .../code-scanning/alert-tracking-link.md | 2 +- .../alerts-found-in-generated-code.md | 2 +- .../codeql-query-suites-explanation.md | 2 +- .../code-scanning/default-setup-info-link.md | 2 +- .../code-scanning/enabling-options.md | 4 +- .../github-issues-integration.md | 4 +- .../code-scanning/run-additional-queries.md | 4 +- ...troubleshooting-multiple-configurations.md | 2 +- .../products-table-header.md | 6 +-- .../lib/static/redirect-exceptions.txt | 8 ++-- 92 files changed, 480 insertions(+), 351 deletions(-) delete mode 100644 content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md delete mode 100644 content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => creating-an-advanced-setup-for-code-scanning}/codeql-code-scanning-for-compiled-languages.md (94%) create mode 100644 content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => creating-an-advanced-setup-for-code-scanning}/configuring-advanced-setup-for-code-scanning.md (90%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md => creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md} (91%) create mode 100644 content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/index.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => creating-an-advanced-setup-for-code-scanning}/recommended-hardware-resources-for-running-codeql.md (92%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => creating-an-advanced-setup-for-code-scanning}/running-codeql-code-scanning-in-a-container.md (94%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => enabling-code-scanning}/configuring-default-setup-for-code-scanning-at-scale.md (91%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => enabling-code-scanning}/configuring-default-setup-for-code-scanning.md (90%) create mode 100644 content/code-security/code-scanning/enabling-code-scanning/index.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => introduction-to-code-scanning}/about-code-scanning-with-codeql.md (90%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => introduction-to-code-scanning}/about-code-scanning.md (80%) create mode 100644 content/code-security/code-scanning/introduction-to-code-scanning/index.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-code-scanning-alerts}/about-code-scanning-alerts.md (91%) create mode 100644 content/code-security/code-scanning/managing-code-scanning-alerts/index.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-code-scanning-alerts}/managing-code-scanning-alerts-for-your-repository.md (90%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-code-scanning-alerts}/tracking-code-scanning-alerts-in-issues-using-task-lists.md (73%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-code-scanning-alerts}/triaging-code-scanning-alerts-in-pull-requests.md (90%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-your-code-scanning-configuration}/about-the-tool-status-page.md (92%) rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-your-code-scanning-configuration}/built-in-codeql-query-suites.md (74%) create mode 100644 content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md create mode 100644 content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md rename content/code-security/code-scanning/{automatically-scanning-your-code-for-vulnerabilities-and-errors => managing-your-code-scanning-configuration}/viewing-code-scanning-logs.md (86%) diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md index 378a39061f..37570e2302 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md @@ -521,7 +521,7 @@ template: You can use {% data variables.product.prodname_actions_runner_controller %} to create dedicated runners for your GitHub Enterprise Server instance that {% data variables.product.prodname_dependabot %} can use to help secure and maintain the dependencies used in repositories on your enterprise. For more information, see "[AUTOTITLE](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/managing-self-hosted-runners-for-dependabot-updates#system-requirements-for-dependabot-runners)." -You can also use ARC with CodeQL to identify vulnerabilities and errors in your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)." +You can also use ARC with CodeQL to identify vulnerabilities and errors in your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." {% data variables.product.prodname_actions_runner_controller %} does not use labels to route jobs to specific runner scale sets. Instead, to designate a runner scale set for {% data variables.product.prodname_dependabot %} updates or code scanning with CodeQL, use a descriptive installation name in your Helm chart, such as `dependabot` or `code-scanning`. You can then set the `runs-on` value in your workflows to the installation name, and use the designated runner scale set for {% data variables.product.prodname_dependabot %} updates or code scanning jobs. diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 29d8a741b6..d4c732dfc3 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -165,7 +165,7 @@ With this approach, the value of the {% raw %}`${{ github.event.issue.title }}`{ {% data reusables.advanced-security.starter-workflows-beta %} {% data variables.product.prodname_code_scanning_caps %} allows you to find security vulnerabilities before they reach production. {% data variables.product.product_name %} provides starter workflows for {% data variables.product.prodname_code_scanning %}. You can use these suggested workflows to construct your {% data variables.product.prodname_code_scanning %} workflows, instead of starting from scratch. {% data variables.product.company_short%}'s workflow, the {% data variables.code-scanning.codeql_workflow %}, is powered by {% data variables.product.prodname_codeql %}. There are also third-party starter workflows available. -For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)." +For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)." {% endif %} diff --git a/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md b/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md index c7695c26cd..a7c8435a43 100644 --- a/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md +++ b/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md @@ -1128,7 +1128,7 @@ Before you'll see `git` category actions, you must enable Git events in the audi | `repo.clear_actions_settings` | A repository administrator cleared {% data variables.product.prodname_actions %} policy settings for a repository. | `repo.code_scanning_analysis_deleted` | Code scanning analysis for a repository was deleted. For more information, see "[AUTOTITLE](/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository)." {%- ifversion remove-code-scanning-configurations %} -| `repo.code_scanning_configuration_for_branch_deleted` | A {% data variables.product.prodname_code_scanning %} configuration for a branch of a repository was deleted. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." +| `repo.code_scanning_configuration_for_branch_deleted` | A {% data variables.product.prodname_code_scanning %} configuration for a branch of a repository was deleted. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." {%- endif %} | `repo.config` | A repository administrator blocked force pushes. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise)." {%- ifversion fpt or ghec %} diff --git a/content/billing/managing-billing-for-github-marketplace-apps/canceling-a-github-marketplace-app.md b/content/billing/managing-billing-for-github-marketplace-apps/canceling-a-github-marketplace-app.md index 91d4d9df4d..ef04af2ebb 100644 --- a/content/billing/managing-billing-for-github-marketplace-apps/canceling-a-github-marketplace-app.md +++ b/content/billing/managing-billing-for-github-marketplace-apps/canceling-a-github-marketplace-app.md @@ -59,13 +59,12 @@ When you cancel a free trial on a paid plan, your subscription is immediately ca {% data reusables.marketplace.cancel-free-trial-billing-settings %} {% data reusables.marketplace.cancel-app %} - ## Canceling an app in your enterprise {% data reusables.marketplace.marketplace-enterprise-account %} {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.billing-tab %} -1. In the "Marketplace apps" tab, find the app you want to cancel. +1. In the "Marketplace apps" tab, find the app you want to cancel. 1. Next to the organization where you want to cancel the app, select **{% octicon "kebab-horizontal" aria-label="More" %}** and then click **Cancel plan**. -2. Click **Confirm**. \ No newline at end of file +1. Click **Confirm**. \ No newline at end of file diff --git a/content/billing/managing-billing-for-github-marketplace-apps/upgrading-the-billing-plan-for-a-github-marketplace-app.md b/content/billing/managing-billing-for-github-marketplace-apps/upgrading-the-billing-plan-for-a-github-marketplace-app.md index b49e68aba9..af97aa8f4b 100644 --- a/content/billing/managing-billing-for-github-marketplace-apps/upgrading-the-billing-plan-for-a-github-marketplace-app.md +++ b/content/billing/managing-billing-for-github-marketplace-apps/upgrading-the-billing-plan-for-a-github-marketplace-app.md @@ -47,10 +47,9 @@ When you upgrade an app, your payment method is charged a prorated amount based {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.billing-tab %} -1. In the "Marketplace apps" tab, find the app you want to uprade. +1. In the "Marketplace apps" tab, find the app you want to uprade. 1. Next to the organization where you want to upgrade the app, select **{% octicon "kebab-horizontal" aria-label="More" %}** and then click **Change plan**. -2. Select the **Edit your plan** dropdown and click an account's plan to edit. +1. Select the **Edit your plan** dropdown and click an account's plan to edit. {% data reusables.marketplace.choose-new-plan %} {% data reusables.marketplace.choose-new-quantity %} {% data reusables.marketplace.issue-plan-changes %} - diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md index e3c7552e8d..4b20f81eb3 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-2-preparing-to-enable-at-scale.md @@ -18,7 +18,7 @@ This article is part of a series on adopting {% data variables.product.prodname_ ## Preparing to enable {% data variables.product.prodname_code_scanning %} -{% data reusables.code-scanning.about-code-scanning %} For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)." +{% data reusables.code-scanning.about-code-scanning %} For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." Rolling {% data variables.product.prodname_code_scanning %} out across hundreds of repositories can be difficult, especially when done inefficiently. Following these steps will ensure your rollout is both efficient and successful. As part of your preparation, you will work with your teams, use automation to collect data about your repositories, and enable {% data variables.product.prodname_code_scanning %}. diff --git a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md index d0e2fa8a77..103df006b1 100644 --- a/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md +++ b/content/code-security/adopting-github-advanced-security-at-scale/phase-3-pilot-programs.md @@ -52,13 +52,13 @@ For more information about {% data variables.product.prodname_actions %}, see: - "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows)" - "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)" -We recommend enabling {% data variables.product.prodname_code_scanning %} on a repository-by-repository basis as part of your pilot program. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +We recommend enabling {% data variables.product.prodname_code_scanning %} on a repository-by-repository basis as part of your pilot program. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." If you want to enable code scanning for many repositories, you may want to script the process. For an example of a script that opens pull requests to add a {% data variables.product.prodname_actions %} workflow to multiple repositories, see the [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository for an example using PowerShell, or [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) for teams who do not have PowerShell and instead would like to use NodeJS. -When running initial code scans, you may find that no results are found or that an unusual number of results are returned. You may want to adjust what is flagged in future scans. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)." +When running initial code scans, you may find that no results are found or that an unusual number of results are returned. You may want to adjust what is flagged in future scans. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." If your company wants to use other third-party code analysis tools with GitHub code scanning, you can use actions to run those tools within GitHub. Alternatively, you can upload results, which are generated by third-party tools as SARIF files, to code scanning. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning)." diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md deleted file mode 100644 index dfea8d65b6..0000000000 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Configuring {% ifversion code-scanning-without-workflow %}advanced setup for {% endif %}code scanning with CodeQL at scale -shortTitle: CodeQL {% ifversion code-scanning-without-workflow %}advanced setup{% else %}code scanning{% endif %} at scale -intro: 'You can use a script to configure advanced setup for {% data variables.product.prodname_code_scanning %} for a specific group of repositories in your organization.' -product: '{% data reusables.gated-features.code-scanning %}' -versions: - fpt: '*' - ghec: '*' - ghes: '*' - ghae: '*' -type: how_to -topics: - - Advanced Security - - Code scanning -allowTitleToDifferFromFilename: true ---- - -## About configuring advanced setup for {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} at scale - -If you need to configure a highly customizable {% data variables.product.prodname_code_scanning %} setup for many repositories in your organization, or if repositories in your organization are ineligible for default setup, you can configure {% data variables.product.prodname_code_scanning %} at scale with advanced setup. - -To configure advanced setup across multiple repositories, you can write a bulk configuration script. To successfully execute the script, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec or ghae %}organization or enterprise{% elsif ghes %}site{% endif %}. - -{% ifversion code-scanning-without-workflow %} -Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale)." -{% endif %} - -## Using a script to configure advanced setup - -For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories. - -1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment. -2. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see {% ifversion code-scanning-without-workflow %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)."{% else %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-the-codeql-action)."{% endif %} -3. Use one of the example scripts create a custom script to add the workflow to each repository in the group. - - PowerShell example: [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository - - NodeJS example: [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) repository diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md deleted file mode 100644 index 7d311d5a3c..0000000000 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Automatically scanning your code for vulnerabilities and errors -shortTitle: Scan code automatically -intro: 'You can find vulnerabilities and errors in your project''s code on {% data variables.product.prodname_dotcom %}, as well as view, triage, understand, and resolve the related {% data variables.product.prodname_code_scanning %} alerts.' -product: '{% data reusables.gated-features.code-scanning %}' -redirect_from: - - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors - - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors -versions: - fpt: '*' - ghes: '*' - ghae: '*' - ghec: '*' -topics: - - Advanced Security - - Code scanning -children: - - /about-code-scanning - - /about-code-scanning-with-codeql - - /configuring-default-setup-for-code-scanning - - /configuring-default-setup-for-code-scanning-at-scale - - /codeql-code-scanning-for-compiled-languages - - /configuring-advanced-setup-for-code-scanning - - /customizing-code-scanning - - /configuring-advanced-setup-for-code-scanning-with-codeql-at-scale - - /recommended-hardware-resources-for-running-codeql - - /running-codeql-code-scanning-in-a-container - - /about-code-scanning-alerts - - /managing-code-scanning-alerts-for-your-repository - - /triaging-code-scanning-alerts-in-pull-requests - - /tracking-code-scanning-alerts-in-issues-using-task-lists - - /about-the-tool-status-page - - /built-in-codeql-query-suites - - /viewing-code-scanning-logs ---- diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md similarity index 94% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages.md rename to content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md index 1f04516318..6c9f1489b1 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md @@ -12,6 +12,7 @@ redirect_from: - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-the-codeql-workflow-for-compiled-languages + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages versions: fpt: '*' ghes: '*' @@ -41,7 +42,7 @@ topics: {% ifversion code-scanning-without-workflow-310 %} -For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you can use default setup, which analyzes your code and automatically configures your {% data variables.product.prodname_code_scanning %}, or advanced setup, which generates a workflow file you can edit. {% ifversion codeql-swift-advanced-setup %}Default setup can analyze all compiled languages supported by {% data variables.product.prodname_codeql %}{% endif %}. For more information about advanced setup, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you can use default setup, which analyzes your code and automatically configures your {% data variables.product.prodname_code_scanning %}, or advanced setup, which generates a workflow file you can edit. {% ifversion codeql-swift-advanced-setup %}Default setup can analyze all compiled languages supported by {% data variables.product.prodname_codeql %}{% endif %}. For more information about advanced setup, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." {% ifversion code-scanning-default-setup-self-hosted-310 %} You can use default setup with self-hosted runners for all {% data variables.product.prodname_codeql %}-supported languages except Swift. Default setup will always run the `autobuild` action, so you should configure your self-hosted runners to make sure they can run all necessary commands for C/C++, C#, and Java analysis. Analysis of Javascript/Typescript, Go, Ruby, Python, and Kotlin code does not currently require special configuration. @@ -49,11 +50,11 @@ You can use default setup with self-hosted runners for all {% data variables.pro {% elsif code-scanning-without-workflow %} -In {% data variables.product.product_name %} {{ allVersions[currentVersion].currentRelease }}, default setup does not support any compiled languages, so you must use advanced setup. Advanced setup generates a workflow file you can edit. The starter workflow files use `autobuild` to analyze compiled languages. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +In {% data variables.product.product_name %} {{ allVersions[currentVersion].currentRelease }}, default setup does not support any compiled languages, so you must use advanced setup. Advanced setup generates a workflow file you can edit. The starter workflow files use `autobuild` to analyze compiled languages. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." {% else %} -You set up {% data variables.product.prodname_dotcom %} to run {% data variables.product.prodname_code_scanning %} for your repository by adding a {% data variables.product.prodname_actions %} workflow to the repository. For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you add the {% data variables.code-scanning.codeql_workflow %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-the-codeql-action)." +You set up {% data variables.product.prodname_dotcom %} to run {% data variables.product.prodname_code_scanning %} for your repository by adding a {% data variables.product.prodname_actions %} workflow to the repository. For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you add the {% data variables.code-scanning.codeql_workflow %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-the-codeql-action)." {% endif %} @@ -137,12 +138,15 @@ The `autobuild` process attempts to autodetect a suitable way to install the dep 1. Finally, if configurations files for these dependency managers are not found, rearrange the repository directory structure suitable for addition to `GOPATH`, and use `go get` to install dependencies. The directory structure reverts to normal after extraction completes. 1. Extract all Go code in the repository, similar to running `go build ./...`. +{% ifversion code-scanning-without-workflow %} + {% note %} **Note:** If you use default setup, it will look for a `go.mod` file to automatically install a compatible version of the Go language.{% ifversion code-scanning-default-setup-self-hosted-310 %} If you're using a self-hosted runner with default setup that doesn't have internet access, you can manually install a compatible version of Go.{% endif %} {% endnote %} +{% endif %} {% endif %} ### `autobuild` for Java {% ifversion codeql-kotlin-beta %} and Kotlin {% endif %} @@ -205,7 +209,7 @@ For Swift analysis, you must always explicitly install dependencies managed via ## Adding build steps for a compiled language -{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#editing-a-code-scanning-workflow)." +{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow)." After removing the `autobuild` step, uncomment the `run` step and add build commands that are suitable for your repository. The workflow `run` step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process. diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md new file mode 100644 index 0000000000..a569886a6f --- /dev/null +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale.md @@ -0,0 +1,38 @@ +--- +title: Configuring {% ifversion code-scanning-without-workflow %}advanced setup for {% endif %}code scanning with CodeQL at scale +shortTitle: CodeQL {% ifversion code-scanning-without-workflow %}advanced setup{% else %}code scanning{% endif %} at scale +intro: 'You can use a script to configure {% ifversion code-scanning-without-workflow %}advanced setup for {% endif %}{% data variables.product.prodname_code_scanning %} for a specific group of repositories in your organization.' +product: '{% data reusables.gated-features.code-scanning %}' +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale +versions: + fpt: '*' + ghec: '*' + ghes: '*' + ghae: '*' +type: how_to +topics: + - Advanced Security + - Code scanning +allowTitleToDifferFromFilename: true +--- + +## About configuring {% ifversion code-scanning-without-workflow %}advanced setup for {% endif %}{% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} at scale + +{% ifversion code-scanning-without-workflow %}If you need to configure a highly customizable {% data variables.product.prodname_code_scanning %} setup for many repositories in your organization, or if repositories in your organization are ineligible for default setup, you can configure {% data variables.product.prodname_code_scanning %} at scale with advanced setup.{% endif %} + +To configure {% ifversion code-scanning-without-workflow %}advanced setup{% else %}{% data variables.product.prodname_code_scanning %}{% endif %} across multiple repositories, you can write a bulk configuration script. To successfully execute the script, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec or ghae %}organization or enterprise{% elsif ghes %}site{% endif %}. + +{% ifversion code-scanning-without-workflow %} +Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)." +{% endif %} + +## Using a script to configure {% ifversion code-scanning-without-workflow %}advanced setup{% else %}{% data variables.product.prodname_code_scanning %}{% endif %} + +{% ifversion code-scanning-without-workflow %}For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories.{% endif %} + +1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment. +1. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see {% ifversion code-scanning-without-workflow %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)."{% else %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-the-codeql-action)."{% endif %} +1. Use one of the example scripts create a custom script to add the workflow to each repository in the group. + - PowerShell example: [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository + - NodeJS example: [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) repository diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md similarity index 90% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning.md rename to content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md index 10ec599dac..b8a03c07af 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning.md @@ -4,6 +4,8 @@ shortTitle: Configure {% ifversion code-scanning-without-workflow %}advanced set intro: 'You can configure {% ifversion code-scanning-without-workflow %}advanced setup{% else %}{% data variables.product.prodname_code_scanning %}{% endif %} for a repository to find security vulnerabilities in your code{% ifversion code-scanning-without-workflow %} using a highly customizable {% data variables.product.prodname_code_scanning %} configuration{% endif %}.' product: '{% data reusables.gated-features.code-scanning %}' permissions: 'People with admin permissions to a repository, or the security manager role for the repository, can configure {% data variables.product.prodname_code_scanning %} for that repository. People with write permissions to a repository can also configure {% data variables.product.prodname_code_scanning %}, but only by creating a workflow file or manually uploading a SARIF file.' +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning versions: fpt: '*' ghes: '*' @@ -36,7 +38,7 @@ You can also configure {% data variables.product.prodname_code_scanning %} with {% data reusables.code-scanning.codeql-action-version-ghes %} {% ifversion code-scanning-without-workflow %} -If you do not need a highly customizable {% data variables.product.prodname_code_scanning %} configuration, consider using default setup for {% data variables.product.prodname_code_scanning %}. For more information on eligibility for default setup, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning#requirements-for-using-default-setup)." +If you do not need a highly customizable {% data variables.product.prodname_code_scanning %} configuration, consider using default setup for {% data variables.product.prodname_code_scanning %}. For more information on eligibility for default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#requirements-for-using-default-setup)." {% endif %} ### Prerequisites @@ -91,7 +93,7 @@ You can customize your {% data variables.product.prodname_code_scanning %} by cr Generally, you can commit the {% data variables.code-scanning.codeql_workflow %} without making any changes to it. However, many of the third-party workflows require additional configuration, so read the comments in the workflow before committing. - For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages)." + For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." 1. Click **Commit changes...** to display the commit changes form. @@ -103,7 +105,7 @@ You can customize your {% data variables.product.prodname_code_scanning %} by cr In the suggested {% data variables.code-scanning.codeql_workflow %}, {% data variables.product.prodname_code_scanning %} is configured to analyze your code each time you either push a change to the default branch or any protected branches, or raise a pull request against the default branch. As a result, {% data variables.product.prodname_code_scanning %} will now commence. -The `on:pull_request` and `on:push` triggers for code scanning are each useful for different purposes. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#configuring-frequency)." +The `on:pull_request` and `on:push` triggers for code scanning are each useful for different purposes. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#configuring-frequency)." {% else %} @@ -120,7 +122,7 @@ The `on:pull_request` and `on:push` triggers for code scanning are each useful f Generally, you can commit the {% data variables.code-scanning.codeql_workflow %} without making any changes to it. However, many of the third-party workflows require additional configuration, so read the comments in the workflow before committing. - For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages)." + For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." 1. Click **Commit changes...** to display the commit changes form. @@ -131,7 +133,7 @@ The `on:pull_request` and `on:push` triggers for code scanning are each useful f In the suggested {% data variables.code-scanning.codeql_workflow %}, {% data variables.product.prodname_code_scanning %} is configured to analyze your code each time you either push a change to the default branch or any protected branches, or raise a pull request against the default branch. As a result, {% data variables.product.prodname_code_scanning %} will now commence. -The `on:pull_request` and `on:push` triggers for code scanning are each useful for different purposes. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#configuring-frequency)." +The `on:pull_request` and `on:push` triggers for code scanning are each useful for different purposes. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#configuring-frequency)." {% endif %} @@ -161,7 +163,7 @@ For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scannin ![Screenshot showing a starter workflow file open for editing. The "Documentation" button is highlighted with an orange outline.](/assets/images/help/security/actions-workflows-documentation.png) - For more information, see "[AUTOTITLE](/actions/using-workflows/using-starter-workflows#using-starter-workflows)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)." + For more information, see "[AUTOTITLE](/actions/using-workflows/using-starter-workflows#using-starter-workflows)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." {% endif %} {% ifversion ghes < 3.5 %} @@ -201,10 +203,10 @@ There are other situations where there may be no analysis for the latest commit After configuring {% data variables.product.prodname_code_scanning %}, and allowing its actions to complete, you can: -- View all of the {% data variables.product.prodname_code_scanning %} alerts generated for this repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." -- View any alerts generated for a pull request submitted after you configure {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." +- View all of the {% data variables.product.prodname_code_scanning %} alerts generated for this repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." +- View any alerts generated for a pull request submitted after you configure {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." - Configure notifications for completed runs. For more information, see "[AUTOTITLE](/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#github-actions-notification-options)." -- Learn about {% data variables.product.prodname_code_scanning %} checks on pull requests. For more information, "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests#about-code-scanning-as-a-pull-request-check)." -- View the logs generated by the {% data variables.product.prodname_code_scanning %} analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs)." +- Learn about {% data variables.product.prodname_code_scanning %} checks on pull requests. For more information, "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#about-code-scanning-as-a-pull-request-check)." +- View the logs generated by the {% data variables.product.prodname_code_scanning %} analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs)." - Investigate any problems that occur with the initial configuration of {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)." -- Customize how {% data variables.product.prodname_code_scanning %} scans the code in your repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)." +- Customize how {% data variables.product.prodname_code_scanning %} scans the code in your repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md similarity index 91% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md rename to content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md index 62dca94bd3..d0e9be8825 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md @@ -1,6 +1,6 @@ --- -title: Customizing code scanning -intro: 'You can customize how {% data variables.product.prodname_dotcom %} scans the code in your project for vulnerabilities and errors.' +title: Customizing {% ifversion code-scanning-without-workflow %}your advanced setup for {% endif %}code scanning +intro: 'You can customize how {% ifversion code-scanning-without-workflow %}your advanced setup {% else %}{% data variables.product.prodname_dotcom %} {% endif %}scans the code in your project for vulnerabilities and errors.' product: '{% data reusables.gated-features.code-scanning %}' permissions: 'People with write permissions to a repository can customize {% data variables.product.prodname_code_scanning %} for the repository.' redirect_from: @@ -9,6 +9,7 @@ redirect_from: - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning versions: fpt: '*' ghes: '*' @@ -23,7 +24,8 @@ topics: - Pull requests - JavaScript - Python -shortTitle: Customize code scanning +shortTitle: Customize {% ifversion code-scanning-without-workflow %}advanced setup{% else %}code scanning{% endif %} +allowTitleToDifferFromFilename: true --- @@ -37,15 +39,9 @@ make sure that you also update the MS short link: https://aka.ms/code-scanning-d You can run {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %}, using {% data variables.product.prodname_actions %}, or from your continuous integration (CI) system. For more information, see "[AUTOTITLE](/actions/learn-github-actions)" or "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system)." -{% ifversion code-scanning-without-workflow %}Both the default and advanced setups for {% data variables.product.prodname_code_scanning %} run on {% data variables.product.prodname_actions %}. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite default setup will run{% ifversion code-scanning-without-workflow-310 %} and the languages default setup will analyze{% endif %}. Alternatively, you can use advanced setup to further customize a {% data variables.product.prodname_code_scanning %} workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)."{% endif %} This article is about {% ifversion code-scanning-without-workflow %}customizing your advanced setup for {% data variables.product.prodname_code_scanning %}.{% else %}running {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %} using actions.{% endif %} +{% ifversion code-scanning-without-workflow %}With advanced setup for {% data variables.product.prodname_code_scanning %}, you can customize a {% data variables.product.prodname_code_scanning %} workflow for granular control over your configuration. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)."{% else %}This article is about running {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %} using actions.{% endif %} -{% ifversion code-scanning-without-workflow %}{% else %}Before you can customize {% data variables.product.prodname_code_scanning %} for a repository, you must configure {% data variables.product.prodname_code_scanning %} by adding a {% data variables.product.prodname_actions %} workflow to the repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)."{% endif %} - -{% ifversion code-scanning-without-workflow %} - -With advanced setup, you can edit workflows like {% data variables.product.prodname_dotcom %}'s {% data variables.code-scanning.codeql_workflow %} to specify the frequency of scans, the languages or directories to scan, and what {% data variables.product.prodname_code_scanning %} looks for in your code. You might also need to edit the workflow if you use a specific set of commands to compile your code. - -{% else %} +{% ifversion code-scanning-without-workflow %}{% else %}Before you can customize {% data variables.product.prodname_code_scanning %} for a repository, you must configure {% data variables.product.prodname_code_scanning %} by adding a {% data variables.product.prodname_actions %} workflow to the repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." {% data reusables.code-scanning.edit-workflow %} @@ -73,9 +69,9 @@ Scanning code when someone pushes a change, and whenever a pull request is creat By default, the {% data variables.code-scanning.codeql_workflow %} uses the `on.push` event to trigger a code scan on every push to the default branch of the repository and any protected branches. For {% data variables.product.prodname_code_scanning %} to be triggered on a specified branch, the workflow must exist in that branch. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#on)." -If you scan on push, then the results appear in the **Security** tab for your repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +If you scan on push, then the results appear in the **Security** tab for your repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." -Additionally, when an `on:push` scan returns results that can be mapped to an open pull request, these alerts will automatically appear on the pull request in the same places as other pull request alerts. The alerts are identified by comparing the existing analysis of the head of the branch to the analysis for the target branch. For more information on {% data variables.product.prodname_code_scanning %} alerts in pull requests, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." +Additionally, when an `on:push` scan returns results that can be mapped to an open pull request, these alerts will automatically appear on the pull request in the same places as other pull request alerts. The alerts are identified by comparing the existing analysis of the head of the branch to the analysis for the target branch. For more information on {% data variables.product.prodname_code_scanning %} alerts in pull requests, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." ### Scanning pull requests @@ -83,9 +79,9 @@ The default {% data variables.code-scanning.codeql_workflow %} uses the `pull_re For more information about the `pull_request` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request)." -If you scan pull requests, then the results appear as alerts in a pull request check. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." +If you scan pull requests, then the results appear as alerts in a pull request check. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." -Using the `pull_request` trigger, configured to scan the pull request's merge commit rather than the head commit, will produce more efficient and accurate results than scanning the head of the branch on each push. However, if you use a CI/CD system that cannot be configured to trigger on pull requests, you can still use the `on:push` trigger and {% data variables.product.prodname_code_scanning %} will map the results to open pull requests on the branch and add the alerts as annotations on the pull request. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#scanning-on-push)." +Using the `pull_request` trigger, configured to scan the pull request's merge commit rather than the head commit, will produce more efficient and accurate results than scanning the head of the branch on each push. However, if you use a CI/CD system that cannot be configured to trigger on pull requests, you can still use the `on:push` trigger and {% data variables.product.prodname_code_scanning %} will map the results to open pull requests on the branch and add the alerts as annotations on the pull request. For more information, see "[Scanning on push](#scanning-on-push)." {% ifversion fpt or ghec %} @@ -160,7 +156,7 @@ This workflow scans: **Notes**: -- Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}{% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, so you should consider only scanning the build step. For more information about configuring code scanning for Swift, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#considerations-for-building-swift)." For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %} +- Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}{% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, so you should consider only scanning the build step. For more information about configuring code scanning for Swift, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#considerations-for-building-swift)." For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %} - Code scanning of Swift code is not supported for runners that are part of an Actions Runner Controller (ARC), but you can have a mixture of both ARC runners and self-hosted macOS runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller)." @@ -190,7 +186,7 @@ jobs: {% ifversion ghes %}You must ensure that Git is in the PATH variable on your self-hosted runners.{% else %}If you use a self-hosted runner, you must ensure that Git is in the PATH variable.{% endif %} For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." -For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis{% ifversion not ghes %} on self-hosted machines{% endif %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql)." +For recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis{% ifversion not ghes %} on self-hosted machines{% endif %}, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." ## Specifying the location for {% data variables.product.prodname_codeql %} databases @@ -295,7 +291,7 @@ jobs: ## Defining the alert severities that give a check failure for a pull request -By default, only alerts with the severity level of `Error` or security severity level of `Critical` or `High` will cause a pull request check failure, and a check will still succeed with alerts of lower severities. You can change the levels of alert severities and of security severities that will cause a pull request check failure in your repository settings. For more information about severity levels, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-alert-details)." +By default, only alerts with the severity level of `Error` or security severity level of `Critical` or `High` will cause a pull request check failure, and a check will still succeed with alerts of lower severities. You can change the levels of alert severities and of security severities that will cause a pull request check failure in your repository settings. For more information about severity levels, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-details)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} @@ -561,7 +557,7 @@ query-filters: id: js/useless-assignment-to-local ``` -To find the id of a query, you can click the alert in the list of alerts in the **Security** tab. This opens the alert details page. The `Rule ID` field contains the query id. For more information about the alert details page, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-alert-details)." +To find the id of a query, you can click the alert in the list of alerts in the **Security** tab. This opens the alert details page. The `Rule ID` field contains the query id. For more information about the alert details page, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alert-details)." {% tip %} @@ -599,7 +595,7 @@ paths-ignore: {% endnote %} -For compiled languages, if you want to limit {% data variables.product.prodname_code_scanning %} to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +For compiled languages, if you want to limit {% data variables.product.prodname_code_scanning %} to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." You can quickly analyze small portions of a monorepo when you modify code in specific directories. You'll need to both exclude directories in your build steps and use the `paths-ignore` and `paths` keywords for [`on.`](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore) in your workflow. @@ -611,7 +607,7 @@ You can quickly analyze small portions of a monorepo when you modify code in spe ## Specifying configuration details using the `config` input -If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at "[Using a custom configuration file](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-a-custom-configuration-file)" above. +If you'd prefer to specify additional configuration details in the workflow file, you can use the `config` input of the `init` command of the {% data variables.product.prodname_codeql %} action. The value of this input must be a YAML string that follows the configuration file format documented at "[Using a custom configuration file](#using-a-custom-configuration-file)" above. ### Example configuration @@ -654,7 +650,7 @@ In the following example, `vars.CODEQL_CONF` is a {% data variables.product.prod {% data reusables.code-scanning.autobuild-compiled-languages %} -{% data reusables.code-scanning.autobuild-add-build-steps %} For more information about how to configure {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for compiled languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages)." +{% data reusables.code-scanning.autobuild-add-build-steps %} For more information about how to configure {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for compiled languages, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages)." ## Uploading {% data variables.product.prodname_code_scanning %} data to {% data variables.product.prodname_dotcom %} diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/index.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/index.md new file mode 100644 index 0000000000..6e70b4f1f1 --- /dev/null +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/index.md @@ -0,0 +1,21 @@ +--- +title: Creating {% ifversion code-scanning-without-workflow %}an advanced setup for {% else %}a workflow {% endif %}for {% data variables.product.prodname_code_scanning %} +shortTitle: '{% ifversion code-scanning-without-workflow %}Create advanced setup{% else %}Create workflow {% data variables.product.prodname_code_scanning %}{% endif %}' +intro: '{% ifversion code-scanning-without-workflow %}For more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you can secure your code with advanced setup for {% data variables.product.prodname_code_scanning %}.{% else %}Create and customize a {% data variables.product.prodname_actions %} workflow to control the analysis of your codebase.{% endif %}' +product: '{% data reusables.gated-features.code-scanning %}' +versions: + fpt: '*' + ghes: '*' + ghae: '*' + ghec: '*' +topics: + - Advanced Security + - Code scanning +children: + - /configuring-advanced-setup-for-code-scanning + - /customizing-your-advanced-setup-for-code-scanning + - /codeql-code-scanning-for-compiled-languages + - /configuring-advanced-setup-for-code-scanning-with-codeql-at-scale + - /recommended-hardware-resources-for-running-codeql + - /running-codeql-code-scanning-in-a-container +--- diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql.md similarity index 92% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql.md rename to content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql.md index 5574ae233f..d207cec0fa 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql.md @@ -3,6 +3,8 @@ title: Recommended hardware resources for running CodeQL shortTitle: Hardware resources for CodeQL intro: 'Recommended specifications (RAM, CPU cores, and disk) for running {% data variables.product.prodname_codeql %} analysis on self-hosted machines, based on the size of your codebase.' product: '{% data reusables.gated-features.code-scanning %}' +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql versions: fpt: '*' ghes: '*' diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md similarity index 94% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container.md rename to content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md index b9ddf18006..cfb609538f 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container.md @@ -8,6 +8,7 @@ redirect_from: - /code-security/secure-coding/running-codeql-code-scanning-in-a-container - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container versions: fpt: '*' ghes: '*' @@ -39,7 +40,7 @@ You must run {% data variables.product.prodname_codeql %} inside the container i {% endnote %} -## Dependencies +## Dependencies for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} You may have difficulty running {% data variables.product.prodname_code_scanning %} if the container you're using is missing certain dependencies (for example, Git must be installed and added to the PATH variable). If you encounter dependency issues, review the list of software typically included on {% data variables.product.prodname_dotcom %}'s runner images. For more information, see the version-specific `readme` files in these locations: diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md similarity index 91% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale.md rename to content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md index 77b5d8fa87..e7ff12560c 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md @@ -4,6 +4,7 @@ shortTitle: Code scanning at scale intro: 'You can quickly configure {% data variables.product.prodname_code_scanning %} for repositories across your organization using default setup.' redirect_from: - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale product: '{% data reusables.gated-features.code-scanning %}' type: how_to topics: @@ -25,9 +26,9 @@ You can also use security overview to find a set of repositories in your organiz {% endif %} -You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)." +You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." -For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale)." +For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale)." @@ -63,7 +64,7 @@ Through the "Code security and analysis" page of your organization's settings, y 1. Click **Settings** next to your organization. 1. Click **Code security & analysis**. 1. Click **Enable all** next to "{% data variables.product.prodname_code_scanning_caps %}".{% ifversion bulk-code-scanning-query-suite%} -1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites)." +1. In the "Query suites" section of the "Enable {% data variables.product.prodname_code_scanning %} default setup" dialog box displayed, select the query suite your configuration of default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." 1. To enable your configuration of default setup, click **Enable for eligible repositories**. 1. Optionally, to recommend the "Extended" query suite throughout your organization when enabling default setup, select "Recommend the extended query suite for repositories enabling default setup."{% else %} 1. In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" dialog box displayed, click **Enable for eligible repositories** to enable your configuration of default setup.{% endif %} @@ -72,11 +73,11 @@ Through the "Code security and analysis" page of your organization's settings, y **Notes:** - {% data reusables.code-scanning.limitation-org-enable-all %} - - Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}." + - Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[Configuring default setup for a subset of repositories in an organization](#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}." {% endnote %} {% else %} -{% data variables.product.prodname_code_scanning_caps %} is configured at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)." +{% data variables.product.prodname_code_scanning_caps %} is configured at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." {% endif %} {% ifversion code-security-multi-repo-enablement %} ## Configuring default setup for a subset of repositories in an organization @@ -115,7 +116,7 @@ You can select all of the displayed repositories, or a subset of them, and enabl 1. In the list of repositories, select each repository you want to enable {% data variables.product.prodname_code_scanning %} for. To select all repositories on the page, click the checkbox next to **NUMBER Active**. To select all repositories that match the current search, click the checkbox next to **NUMBER Active** and then click **Select all NUMBER repos**. 1. Click **Security settings** next to **NUMBER selected**. 1. In the side panel, in the "{% data variables.product.prodname_codeql %} Default Setup" section, select **No change**, then click **Enable**.{% ifversion bulk-code-scanning-query-suite %} -1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites)."{% endif %} +1. Optionally, to choose a different query suite than your organization's default query suite, select **Query suite: SUITE NAME**, then click the query suite your configuration of default setup should use. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)."{% endif %} 1. To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click **Apply changes NUMBER**. Alternatively, to select or deselect more repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes. {% note %} diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md similarity index 90% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning.md rename to content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md index 706529f35f..53d7c086bd 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md @@ -13,6 +13,7 @@ redirect_from: - /code-security/secure-coding/configuring-code-scanning-for-a-repository - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning product: '{% data reusables.gated-features.code-scanning %}' permissions: 'People with admin permissions to a repository, or the security manager role for the repository, can configure {% data variables.product.prodname_code_scanning %} for that repository.' type: how_to @@ -27,11 +28,11 @@ versions: Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. You can enable this automatically selected configuration to start scanning your code as soon as possible, or you can further customize the configuration to meet your {% data variables.product.prodname_code_scanning %} needs. If you choose to customize the configuration yourself, you can select:{% ifversion code-scanning-without-workflow-310 %} - the languages default setup will analyze.{% endif %} -- the query suite default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites)." +- the query suite default setup will run. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." -{% ifversion org-enable-code-scanning %}You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale)."{% endif %} +{% ifversion org-enable-code-scanning %}You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)."{% endif %} -If you need more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you should instead configure advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +If you need more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you should instead configure advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." ### Requirements for using default setup @@ -49,7 +50,7 @@ For {% data variables.product.product_name %}, before configuring {% data variab Enterprise owners, organization and repository administrators can add self-hosted runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)." {% endif %} -You can use default setup if your repository includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)." +You can use default setup if your repository includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." {% ifversion code-scanning-without-workflow-310 %} @@ -91,7 +92,7 @@ Compiled languages are not automatically included in default setup configuration ![Screenshot of the modal for default setup. A button labeled "Default", with an arrow indicating a dropdown menu, is outlined in dark orange.](/assets/images/help/security/default-setup-query-suite-dropdown.png) - If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites)." + If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." {% note %} @@ -112,8 +113,8 @@ Compiled languages are not automatically included in default setup configuration ## Next steps -After you configure default setup for {% data variables.product.prodname_code_scanning %}, and your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +After you configure default setup for {% data variables.product.prodname_code_scanning %}, and your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." -You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)." +You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)." \ No newline at end of file diff --git a/content/code-security/code-scanning/enabling-code-scanning/index.md b/content/code-security/code-scanning/enabling-code-scanning/index.md new file mode 100644 index 0000000000..0b83ec0fcb --- /dev/null +++ b/content/code-security/code-scanning/enabling-code-scanning/index.md @@ -0,0 +1,15 @@ +--- +title: Enabling code scanning +shortTitle: Enable code scanning +intro: 'You can quickly and easily secure your code with default setup for {% data variables.product.prodname_code_scanning %}.' +product: '{% data reusables.gated-features.code-scanning %}' +versions: + feature: 'code-scanning-without-workflow' +topics: + - Advanced Security + - Code scanning + - CodeQL +children: + - /configuring-default-setup-for-code-scanning + - /configuring-default-setup-for-code-scanning-at-scale +--- diff --git a/content/code-security/code-scanning/index.md b/content/code-security/code-scanning/index.md index 87173a6084..d0e7829212 100644 --- a/content/code-security/code-scanning/index.md +++ b/content/code-security/code-scanning/index.md @@ -17,10 +17,13 @@ topics: - Code scanning - CodeQL children: - - /automatically-scanning-your-code-for-vulnerabilities-and-errors + - /introduction-to-code-scanning + - /enabling-code-scanning + - /creating-an-advanced-setup-for-code-scanning + - /managing-code-scanning-alerts + - /managing-your-code-scanning-configuration - /integrating-with-code-scanning - /using-codeql-code-scanning-with-your-existing-ci-system - /troubleshooting-code-scanning - /troubleshooting-sarif --- - diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md b/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md index 97874aff91..e34555fbd7 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning.md @@ -25,7 +25,7 @@ topics: {% data reusables.code-scanning.beta %} {% data reusables.code-scanning.enterprise-enable-code-scanning %} -As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %}, you can perform analysis elsewhere and then upload the results. Alerts for {% data variables.product.prodname_code_scanning %} that you run externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you run within {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %}, you can perform analysis elsewhere and then upload the results. Alerts for {% data variables.product.prodname_code_scanning %} that you run externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you run within {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." If you use a third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data, you can upload this to {% data variables.product.prodname_dotcom %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." @@ -37,6 +37,6 @@ You can use {% data variables.product.prodname_code_scanning %} webhooks to buil ## Further reading -- "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)" +- "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" - "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system)" - "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)" diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md b/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md index fa2ed6aa31..da7c8ce8b4 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.md @@ -31,9 +31,9 @@ SARIF (Static Analysis Results Interchange Format) is an [OASIS Standard](https: To upload a SARIF file from a third-party static code analysis engine, you'll need to ensure that uploaded files use the SARIF 2.1.0 version. {% data variables.product.prodname_dotcom %} will parse the SARIF file and show alerts using the results in your repository as a part of the {% data variables.product.prodname_code_scanning %} experience. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." For more information about the SARIF 2.1.0 JSON schema, see [`sarif-schema-2.1.0.json`](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). -If you're using {% data variables.product.prodname_actions %} with the {% data variables.code-scanning.codeql_workflow %} or using the {% data variables.product.prodname_codeql_cli %}, then the {% data variables.product.prodname_code_scanning %} results will automatically use the supported subset of SARIF 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system)." +If you're using {% data variables.product.prodname_actions %} with the {% data variables.code-scanning.codeql_workflow %} or using the {% data variables.product.prodname_codeql_cli %}, then the {% data variables.product.prodname_code_scanning %} results will automatically use the supported subset of SARIF 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system)." -{% data variables.product.prodname_dotcom %} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {% data variables.product.prodname_code_scanning %} alert. The `location` allows {% data variables.product.prodname_dotcom %} to show annotations in your code file. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +{% data variables.product.prodname_dotcom %} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {% data variables.product.prodname_code_scanning %} alert. The `location` allows {% data variables.product.prodname_dotcom %} to show annotations in your code file. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." If you're new to SARIF and want to learn more, see Microsoft's [`SARIF tutorials`](https://github.com/microsoft/sarif-tutorials) repository. diff --git a/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md b/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md index 33517e7aa9..05b3a2debb 100644 --- a/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md +++ b/content/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github.md @@ -32,7 +32,7 @@ topics: ## About SARIF file uploads for {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." You can generate SARIF files using many static analysis security testing tools, including {% data variables.product.prodname_codeql %}. The results must use SARIF version 2.1.0. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md similarity index 90% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql.md rename to content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md index 2376bc3e20..25b9740c79 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md @@ -5,6 +5,7 @@ intro: 'You can use {% data variables.product.prodname_codeql %} to identify vul product: '{% data reusables.gated-features.code-scanning %}' redirect_from: - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql versions: fpt: '*' ghes: '*' @@ -28,14 +29,14 @@ topics: There are three main ways to use {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %}: -- Use default setup to quickly configure {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %} on your repository. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite to run{% ifversion code-scanning-without-workflow-310 %} and languages to analyze{% endif %}. After you enable {% data variables.product.prodname_codeql %}, {% data variables.product.prodname_actions %} will execute workflow runs to scan your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)." -- Use advanced setup to add the {% data variables.product.prodname_codeql %} workflow to your repository. This generates a customizable workflow file which uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +- Use default setup to quickly configure {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %} on your repository. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite to run{% ifversion code-scanning-without-workflow-310 %} and languages to analyze{% endif %}. After you enable {% data variables.product.prodname_codeql %}, {% data variables.product.prodname_actions %} will execute workflow runs to scan your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +- Use advanced setup to add the {% data variables.product.prodname_codeql %} workflow to your repository. This generates a customizable workflow file which uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." {% else %} There are two main ways to use {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %}: -- Add the {% data variables.product.prodname_codeql %} workflow to your repository. This uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-the-codeql-action)." +- Add the {% data variables.product.prodname_codeql %} workflow to your repository. This uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-the-codeql-action)." {% endif -%} @@ -49,7 +50,7 @@ On {% data variables.product.product_name %} {% ifversion ghes %}{{ allVersions[ {% endif %} -For information about {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts)." +For information about {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." ## About {% data variables.product.prodname_codeql %} @@ -74,7 +75,7 @@ These queries must belong to a published {% data variables.product.prodname_code - When a {% data variables.product.prodname_codeql %} query pack (beta) is published to the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}, all the transitive dependencies required by the queries and a compilation cache are included in the package. This improves performance and ensures that running the queries in the pack gives identical results every time until you upgrade to a new version of the pack or the CLI. - {% data variables.product.prodname_ql %} packs do not include transitive dependencies, so queries in the pack can depend only on the standard libraries (that is, the libraries referenced by an `import LANGUAGE` statement in your query), or libraries in the same {% data variables.product.prodname_ql %} pack as the query. -- {% data variables.product.prodname_codeql %} query packs (beta) can be downloaded from multiple GitHub container registries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#downloading-codeql-packs-from-github-enterprise-server)." +- {% data variables.product.prodname_codeql %} query packs (beta) can be downloaded from multiple GitHub container registries. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#downloading-codeql-packs-from-github-enterprise-server)." For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs)." diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md similarity index 80% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning.md rename to content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md index 3b4b92d290..b1efb6726e 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md @@ -8,6 +8,7 @@ redirect_from: - /code-security/secure-coding/about-code-scanning - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning versions: fpt: '*' ghes: '*' @@ -28,15 +29,15 @@ topics: You can use {% data variables.product.prodname_code_scanning %} to find, triage, and prioritize fixes for existing problems in your code. {% data variables.product.prodname_code_scanning_caps %} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push. -If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see "[AUTOTITLE](/rest/code-scanning)." {% ifversion code-scanning-without-workflow %} -To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)." +To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." {% else %} -To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +To get started with {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." {% endif %} {% ifversion fpt or ghec %} @@ -52,18 +53,18 @@ You can configure {% data variables.product.prodname_code_scanning %} to use the ### About {% data variables.product.prodname_codeql %} analysis -{% data reusables.code-scanning.about-codeql-analysis %} For more information about {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)." +{% data reusables.code-scanning.about-codeql-analysis %} For more information about {% data variables.product.prodname_codeql %}, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." ### About third-party {% data variables.product.prodname_code_scanning %} tools {% data reusables.code-scanning.interoperable-with-tools-that-output-sarif %} -You can run third-party analysis tools within {% data variables.product.product_name %} using actions or within an external CI system. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)" or "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." +You can run third-party analysis tools within {% data variables.product.product_name %} using actions or within an external CI system. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)" or "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)." {% ifversion code-scanning-tool-status-page %} ## About the {% data variables.code-scanning.tool_status_page %} -The {% data variables.code-scanning.tool_status_page %} shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the {% data variables.code-scanning.tool_status_page %} is a good starting point for debugging problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)". +The {% data variables.code-scanning.tool_status_page %} shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the {% data variables.code-scanning.tool_status_page %} is a good starting point for debugging problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)". {% endif %} diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/index.md b/content/code-security/code-scanning/introduction-to-code-scanning/index.md new file mode 100644 index 0000000000..562eed1116 --- /dev/null +++ b/content/code-security/code-scanning/introduction-to-code-scanning/index.md @@ -0,0 +1,22 @@ +--- +title: Introduction to code scanning +shortTitle: Introduction +intro: 'Learn what {% data variables.product.prodname_code_scanning %} is, how it helps you secure your code, and what {% data variables.product.prodname_code_scanning %} tools are available.' +product: '{% data reusables.gated-features.code-scanning %}' +redirect_from: + - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors + - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors +versions: + fpt: '*' + ghec: '*' + ghes: '*' + ghae: '*' +topics: + - Advanced Security + - Code scanning + - CodeQL +children: + - /about-code-scanning + - /about-code-scanning-with-codeql +--- \ No newline at end of file diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts.md b/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md similarity index 91% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts.md rename to content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md index b81840d708..520f0889c8 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md @@ -7,6 +7,8 @@ versions: ghes: '*' ghae: '*' ghec: '*' +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts type: overview topics: - Advanced Security @@ -19,9 +21,9 @@ topics: ## About alerts from {% data variables.product.prodname_code_scanning %} -You can configure {% data variables.product.prodname_code_scanning %} to check the code in a repository using the default {% data variables.product.prodname_codeql %} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {% data variables.product.company_short %}'s default {% data variables.product.prodname_codeql %} analysis. For more information, see {% ifversion code-scanning-without-workflow %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)" and {% endif %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +You can configure {% data variables.product.prodname_code_scanning %} to check the code in a repository using the default {% data variables.product.prodname_codeql %} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {% data variables.product.company_short %}'s default {% data variables.product.prodname_codeql %} analysis. For more information, see {% ifversion code-scanning-without-workflow %}"[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and {% endif %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." -By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." +By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." {% data reusables.code-scanning.audit-code-scanning-events %} @@ -44,7 +46,7 @@ When {% data variables.product.prodname_code_scanning %} reports data-flow alert Alert severity levels may be `Error`, `Warning`, or `Note`. -If {% data variables.product.prodname_code_scanning %} is enabled as a pull request check, the check will fail if it detects any results with a severity of `error`. You can specify which severity level of code scanning alerts causes a check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#defining-the-severities-causing-pull-request-check-failure)." +If {% data variables.product.prodname_code_scanning %} is enabled as a pull request check, the check will fail if it detects any results with a severity of `error`. You can specify which severity level of code scanning alerts causes a check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#defining-the-severities-causing-pull-request-check-failure)." ### About security severity levels @@ -52,7 +54,7 @@ If {% data variables.product.prodname_code_scanning %} is enabled as a pull requ To calculate the security severity of an alert, we use Common Vulnerability Scoring System (CVSS) data. CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, and is commonly used by other security products to score alerts. For more information about how severity levels are calculated, see [this blog post](https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/). -By default, any {% data variables.product.prodname_code_scanning %} results with a security severity of `Critical` or `High` will cause a check failure. You can specify which security severity level for {% data variables.product.prodname_code_scanning %} results should cause a check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#defining-the-severities-causing-pull-request-check-failure)." +By default, any {% data variables.product.prodname_code_scanning %} results with a security severity of `Critical` or `High` will cause a check failure. You can specify which security severity level for {% data variables.product.prodname_code_scanning %} results should cause a check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#defining-the-severities-causing-pull-request-check-failure)." ### About {% ifversion remove-code-scanning-configurations %}alerts from multiple configurations{% else %}analysis origins{% endif %} @@ -61,7 +63,7 @@ You can run multiple configurations of code analysis on a repository, using diff If you use multiple configurations to analyze a file, any problems detected by the same query are reported as alerts generated by multiple configurations. If an alert exists in more than one configuration, the number of configurations appears next to the branch name in the "Affected branches" section on the right-hand side of the alert page. To view the configurations for an alert, in the "Affected branches" section, click a branch. A "Configurations analyzing" modal appears with the names of each configuration generating the alert for that branch. Below each configuration, you can see when that configuration's alert was last updated. -An alert may display different statuses from different configurations. To update the alert statuses, re-run each out-of-date configuration. Alternatively, you can delete stale configurations from a branch to remove outdated alerts. For more information on deleting stale configurations and alerts, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." +An alert may display different statuses from different configurations. To update the alert statuses, re-run each out-of-date configuration. Alternatively, you can delete stale configurations from a branch to remove outdated alerts. For more information on deleting stale configurations and alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." {% else %} You can run multiple configurations of code analysis on a repository, using different tools and targeting different languages or areas of the code. Each configuration of {% data variables.product.prodname_code_scanning %} is the analysis origin for all the alerts it generates. For example, an alert generated using the default {% data variables.product.prodname_codeql %} analysis with {% data variables.product.prodname_actions %} will have a different analysis origin from an alert generated externally and uploaded via the {% data variables.product.prodname_code_scanning %} API. @@ -132,7 +134,7 @@ When you update your workflow to run an additional query suite this will increas queries: security-extended ``` -For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-queries-in-ql-packs)." +For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." ## Disabling experimental alerts diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/index.md b/content/code-security/code-scanning/managing-code-scanning-alerts/index.md new file mode 100644 index 0000000000..d59260a4e0 --- /dev/null +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/index.md @@ -0,0 +1,20 @@ +--- +title: Managing code scanning alerts +shortTitle: Manage alerts +intro: 'Learn how to triage, track, and resolve {% data variables.product.prodname_code_scanning %} alerts.' +product: '{% data reusables.gated-features.code-scanning %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' + ghae: '*' +topics: + - Advanced Security + - Code scanning + - CodeQL +children: + - /about-code-scanning-alerts + - /managing-code-scanning-alerts-for-your-repository + - /triaging-code-scanning-alerts-in-pull-requests + - /tracking-code-scanning-alerts-in-issues-using-task-lists +--- diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md b/content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md similarity index 90% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md rename to content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md index b87c72733d..b6a2a7624d 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md @@ -16,6 +16,7 @@ redirect_from: - /code-security/secure-coding/managing-code-scanning-alerts-for-your-repository - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository type: how_to topics: - Advanced Security @@ -28,7 +29,7 @@ topics: ## Viewing the alerts for a repository -Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." +Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." You need write permission to view a summary of all the alerts for a repository on the **Security** tab. @@ -45,13 +46,13 @@ By default, the code scanning alerts page is filtered to show alerts for the def 1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code. -For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts)." +For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)." {% note %} {% ifversion code-scanning-tool-status-page %} -**Note:** You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)." +**Note:** You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." {% else %} @@ -77,13 +78,13 @@ If you enter multiple filters, the view will show alerts matching _all_ these fi {% ifversion fpt or ghes or ghec %} -You can prefix the `tag` filter with `-` to exclude results with that tag. For example, `-tag:style` only shows alerts that do not have the `style` tag{% ifversion codeql-ml-queries %} and `-tag:experimental` will omit all experimental alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-experimental-alerts)."{% else %}.{% endif %} +You can prefix the `tag` filter with `-` to exclude results with that tag. For example, `-tag:style` only shows alerts that do not have the `style` tag{% ifversion codeql-ml-queries %} and `-tag:experimental` will omit all experimental alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-experimental-alerts)."{% else %}.{% endif %} {% endif %} ### Restricting results to application code only -You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. For more information about the types of code that are automatically labeled as not application code, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-labels-for-alerts-that-are-not-found-in-application-code)." +You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. For more information about the types of code that are automatically labeled as not application code, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-labels-for-alerts-that-are-not-found-in-application-code)." {% ifversion fpt or ghes or ghec %} @@ -130,7 +131,7 @@ You can search the list of alerts. This is useful if there is a large number of ## Fixing an alert -Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." +Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking **Closed**. For more information, see "[Viewing the alerts for a repository](#viewing-the-alerts-for-a-repository)." The "Closed" list shows fixed alerts and alerts that users have dismissed. @@ -148,7 +149,7 @@ Alerts may be fixed in one branch but not in another. You can use the "Branch" f {%- ifversion remove-code-scanning-configurations %} If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, the same alert will sometimes be generated by more than one configuration. Unless you run all configurations regularly, you may see alerts that are fixed in one configuration but not in another. These stale configurations and alerts can be removed from a branch. For more information, see "[Removing stale configurations and alerts from a branch](#removing-stale-configurations-and-alerts-from-a-branch)." {% else %} -If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, then sometimes an alert will have multiple analysis origins. Unless you run all configurations regularly, you may see alerts that are fixed in one analysis origin but not in another. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-analysis-origins)." +If you run {% data variables.product.prodname_code_scanning %} using multiple configurations, then sometimes an alert will have multiple analysis origins. Unless you run all configurations regularly, you may see alerts that are fixed in one analysis origin but not in another. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-analysis-origins)." {% endif %} {% endnote %} @@ -203,7 +204,7 @@ If a project has multiple alerts that you want to dismiss for the same reason, y ## Removing stale configurations and alerts from a branch -You may have multiple code scanning configurations on a single repository. When run, multiple configurations can generate the same alert. Additionally, if the configurations are run on different schedules, the alert statuses may become out-of-date for infrequent or stale configurations. For more information on alerts from multiple configurations, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-alerts-from-multiple-configurations)." +You may have multiple code scanning configurations on a single repository. When run, multiple configurations can generate the same alert. Additionally, if the configurations are run on different schedules, the alert statuses may become out-of-date for infrequent or stale configurations. For more information on alerts from multiple configurations, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alerts-from-multiple-configurations)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} @@ -236,7 +237,7 @@ You may have multiple code scanning configurations on a single repository. When ## Further reading -- "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)"{% ifversion code-scanning-without-workflow %} -- "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)"{% else %} -- "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)"{% endif %} +- "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)"{% ifversion code-scanning-without-workflow %} +- "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)"{% else %} +- "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)"{% endif %} - "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning)" diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md b/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md similarity index 73% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md rename to content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md index c8af6b5c9c..22fa085c4f 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists.md @@ -6,6 +6,8 @@ product: '{% data reusables.gated-features.code-scanning %}' permissions: 'If you have write permission to a repository you can track {% data variables.product.prodname_code_scanning %} alerts in issues using task lists.' versions: feature: code-scanning-task-lists +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists type: how_to topics: - Advanced Security @@ -21,18 +23,15 @@ topics: {% data reusables.code-scanning.github-issues-integration %} -You can also create a new issue to track an alert: -- From a {% data variables.product.prodname_code_scanning %} alert, which automatically adds the code scanning alert to a task list in the new issue. For more information, see "[Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert](#creating-a-tracking-issue-from-a-code-scanning-alert)" below. - -- Via the API as you normally would, and then provide the code scanning link within the body of the issue. You must use the task list syntax to create the tracked relationship: - - `- [ ] ` - - For example, if you add `- [ ] https://github.com/octocat-org/octocat-repo/security/code-scanning/17` to an issue, the issue will track the code scanning alert that has an ID number of 17 in the **Security** tab of the `octocat-repo` repository in the `octocat-org` organization. +You can also quickly create a new issue to track an alert: +- From a {% data variables.product.prodname_code_scanning %} alert. For more information, see "[Creating a tracking issue from a {% data variables.product.prodname_code_scanning %} alert](#creating-a-tracking-issue-from-a-code-scanning-alert)." +- From the API. For more information, see "[Creating a tracking issue from the API](#creating-a-tracking-issue-from-the-api)." You can use more than one issue to track the same {% data variables.product.prodname_code_scanning %} alert, and issues can belong to different repositories from the repository where the {% data variables.product.prodname_code_scanning %} alert was found. {% data variables.product.product_name %} provides visual cues in different locations of the user interface to indicate when you are tracking {% data variables.product.prodname_code_scanning %} alerts in issues. -- The code scanning alerts list page will show which alerts are tracked in issues so that you can view at a glance which alerts still require processing and how any issues they are tracked in. +- The code scanning alerts list page will show which alerts are tracked in issues so that you can view at a glance which alerts still require processing and how many issues they are tracked in. ![Screenshot of the {% data variables.product.prodname_code_scanning %} alerts view. The first entry includes the issue icon followed by the number 2. The third entry includes the issue icon followed by the number 1. Both are outlined in dark orange.](/assets/images/help/repository/code-scanning-alert-list-tracked-issues.png) @@ -41,26 +40,30 @@ You can use more than one issue to track the same {% data variables.product.prod ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. Under the alert title, "Tracked by #1, #2" is outlined in dark orange.](/assets/images/help/repository/code-scanning-alert-tracked-in-pill.png) - On the tracking issue, {% data variables.product.prodname_dotcom %} displays a security badge icon in the task list and on the hovercard. - + {% note %} Only users with write permissions to the repository will see the unfurled URL to the alert in the issue, as well as the hovercard. For users with read permissions to the repository, or no permissions at all, the alert will appear as a plain URL. {% endnote %} - + The color of the icon is grey because an alert has a status of "open" or "closed" on every branch. The issue tracks an alert, so the alert cannot have a single open/closed state in the issue. If the alert is closed on one branch, the icon color will not change. ![Screenshot showing an issue that tracks a {% data variables.product.prodname_code_scanning %} alert. The hovercard for the alert is displayed, with a grey security badge icon preceding the title.](/assets/images/help/repository/code-scanning-tracking-issue-hovercard.png) The status of the tracked alert won't change if you change the checkbox state of the corresponding task list item (checked/unchecked) in the issue. -## Creating a tracking issue from a code scanning alert +## Creating a tracking issue + +Instead of tracking a {% data variables.product.prodname_code_scanning %} alert in an existing issue, you can create a new issue to track an alert directly. You can create tracking issues for {% data variables.product.prodname_code_scanning %} alerts from the alert itself, or from the API. + +### Creating a tracking issue from a code scanning alert {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-code-scanning-alerts %} {% data reusables.code-scanning.explore-alert %} -1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts)." +1. Optionally, to find the alert to track, you can use the free-text search or the drop-down menus to filter and locate the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#filtering-code-scanning-alerts)." 1. Towards the top of the page, on the right side, click **Create issue**. ![Screenshot of a {% data variables.product.prodname_code_scanning %} alert. The "Create issue" button is outlined in dark orange.](/assets/images/help/repository/code-scanning-create-issue-for-alert.png) @@ -76,3 +79,10 @@ The status of the tracked alert won't change if you change the checkbox state of {% endwarning %} 1. Click **Submit new issue**. + +### Creating a tracking issue from the API + +1. Begin creating an issue through the API. For more information, see "[Create an issue](/rest/issues/issues#create-an-issue)." +1. Provide the code scanning link within the body of the issue. You must use the following task list syntax to create the tracked relationship: `- [ ] `. + + For example, if you add `- [ ] https://github.com/octocat-org/octocat-repo/security/code-scanning/17` to an issue, the issue will track the code scanning alert that has an ID number of 17 in the **Security** tab of the `octocat-repo` repository in the `octocat-org` organization. diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md b/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md similarity index 90% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md rename to content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md index 2c8cc05012..ece24b8cf0 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md @@ -9,6 +9,7 @@ redirect_from: - /code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests - /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests versions: fpt: '*' ghes: '*' @@ -34,9 +35,9 @@ In repositories where {% data variables.product.prodname_code_scanning %} is con - The **Conversation** tab of the pull request, as part of a pull request review {% endif %} - The **Files changed** tab of the pull request -If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." -In repositories where {% data variables.product.prodname_code_scanning %} is configured to scan each time code is pushed, {% data variables.product.prodname_code_scanning %} will also map the results to any open pull requests and add the alerts as annotations in the same places as other pull request checks. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#scanning-on-push)." +In repositories where {% data variables.product.prodname_code_scanning %} is configured to scan each time code is pushed, {% data variables.product.prodname_code_scanning %} will also map the results to any open pull requests and add the alerts as annotations in the same places as other pull request checks. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push)." If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then the "{% data variables.product.prodname_code_scanning_caps %} results" check must pass before you can merge the pull request. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging)." @@ -48,7 +49,7 @@ There are many options for configuring {% data variables.product.prodname_code_s For all configurations of {% data variables.product.prodname_code_scanning %}, the check that contains the results of {% data variables.product.prodname_code_scanning %} is: **{% data variables.product.prodname_code_scanning_caps %} results**. The results for each analysis tool used are shown separately. {% ifversion code-scanning-alerts-in-pr-diff %}Any new alerts on lines of code changed in the pull request are shown as annotations{% else %}Any new alerts caused by changes in the pull request are shown as annotations{% endif %}. -To see the full set of alerts for the analyzed branch, click **View all branch alerts**. This opens the full alert view where you can filter all the alerts on the branch by type, severity, tag, etc. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#filtering-and-searching-for-code-scanning-alerts)." +To see the full set of alerts for the analyzed branch, click **View all branch alerts**. This opens the full alert view where you can filter all the alerts on the branch by type, severity, tag, etc. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#filtering-and-searching-for-code-scanning-alerts)." {% ifversion fpt or ghec or ghes > 3.9 %} ![Screenshot of the {% data variables.product.prodname_code_scanning_caps %} results check on a pull request. The "View all branch alerts" link is highlighted with a dark orange outline.](/assets/images/help/repository/code-scanning-results-check.png) @@ -62,7 +63,7 @@ If the {% data variables.product.prodname_code_scanning %} results check finds a ![Screenshot of the merge box for a pull request. Next to the "Code scanning results / CodeQL" check is "1 new alert including 1 high severity security v..."](/assets/images/help/repository/code-scanning-check-failure.png) -You can override the default behavior in your repository settings, by specifying the level of severities and security severities that will cause a pull request check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#defining-the-severities-causing-pull-request-check-failure)". +You can override the default behavior in your repository settings, by specifying the level of severities and security severities that will cause a pull request check failure. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#defining-the-severities-causing-pull-request-check-failure)". ### Other {% data variables.product.prodname_code_scanning %} checks @@ -70,7 +71,7 @@ Depending on your configuration, you may see additional checks running on pull r For example, if the repository uses the {% data variables.code-scanning.codeql_workflow %} a **{% data variables.product.prodname_codeql %} / Analyze (LANGUAGE)** check is run for each language before the results check runs. The analysis check may fail if there are configuration problems, or if the pull request breaks the build for a language that the analysis needs to compile (for example, C/C++, C#, or Java). -As with other pull request checks, you can see full details of the check failure on the **Checks** tab. For more information about configuring and troubleshooting, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)." +As with other pull request checks, you can see full details of the check failure on the **Checks** tab. For more information about configuring and troubleshooting, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" or "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning)." ## Viewing an alert on your pull request @@ -87,7 +88,7 @@ You can see any {% data variables.product.prodname_code_scanning %} alerts intro ![Screenshot showing an alert annotation within a pull request diff.](/assets/images/help/repository/code-scanning-pr-annotation.png) {% endif %} -{% ifversion code-scanning-alerts-in-pr-diff %}If you add a new code scanning configuration in your pull request, you will see a comment on your pull request directing you to the **Security** tab of the repository so you can view all the alerts on the pull request branch. For more information about viewing the alerts for a repository, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."{% endif %} +{% ifversion code-scanning-alerts-in-pr-diff %}If you add a new code scanning configuration in your pull request, you will see a comment on your pull request directing you to the **Security** tab of the repository so you can view all the alerts on the pull request branch. For more information about viewing the alerts for a repository, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."{% endif %} If you have write permission for the repository, some annotations contain links with extra context for the alert. In the example above, from {% data variables.product.prodname_codeql %} analysis, you can click **user-provided value** to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can also view the full path from the source to the code that uses the data (the sink) by clicking **Show paths**. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using {% data variables.product.prodname_codeql %}, see "[About data flow analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)." @@ -124,4 +125,4 @@ An alternative way of closing an alert is to dismiss it. You can dismiss an aler {% data reusables.code-scanning.false-positive-fix-codeql %} -For more information about dismissing alerts, see {% ifversion delete-code-scanning-alerts %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#dismissing-or-deleting-alerts)."{% else %} "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#dismissing--alerts)."{% endif %} +For more information about dismissing alerts, see {% ifversion delete-code-scanning-alerts %}"[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#dismissing-or-deleting-alerts)."{% else %} "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#dismissing--alerts)."{% endif %} diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md similarity index 92% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page.md rename to content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md index 702c9bfc92..cd0d847eab 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page.md @@ -6,6 +6,8 @@ intro: The {% data variables.code-scanning.tool_status_page %} shows useful info product: '{% data reusables.gated-features.code-scanning %}' versions: feature: code-scanning-tool-status-page +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page type: overview topics: - Advanced Security @@ -61,9 +63,9 @@ This view will also show error messages. For more information, see "[Debugging u ### How {% data variables.product.prodname_codeql %} defines scanned files -A file is reported as scanned by {% data variables.product.prodname_codeql %} if some of the lines of code in that file were processed. If you're using a standard configuration of the {% data variables.product.prodname_codeql %} action, the scanned files shown in the {% data variables.code-scanning.tool_status_page %} will include source code files for all languages that {% data variables.product.prodname_codeql %} can analyze. If you use advanced setup, you can optionally define which files for interpreted languages should be scanned using the `paths` and `paths-ignore` configuration properties. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)." +A file is reported as scanned by {% data variables.product.prodname_codeql %} if some of the lines of code in that file were processed. If you're using a standard configuration of the {% data variables.product.prodname_codeql %} action, the scanned files shown in the {% data variables.code-scanning.tool_status_page %} will include source code files for all languages that {% data variables.product.prodname_codeql %} can analyze. If you use advanced setup, you can optionally define which files for interpreted languages should be scanned using the `paths` and `paths-ignore` configuration properties. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." -For compiled languages, the {% data variables.code-scanning.tool_status_page %} reports files that were present before running autobuild or any manual build steps. This means that files generated during the build process are not shown in the {% data variables.code-scanning.tool_status_page %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql)." +For compiled languages, the {% data variables.code-scanning.tool_status_page %} reports files that were present before running autobuild or any manual build steps. This means that files generated during the build process are not shown in the {% data variables.code-scanning.tool_status_page %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-autobuild-for-codeql)." The tool status page will calculate the percentage of files that were scanned by {% data variables.product.prodname_codeql %} for each language supported by {% data variables.product.prodname_codeql %}. This percentage respects any files excluded by the `paths` and `paths-ignore` configuration properties. @@ -97,7 +99,7 @@ To remove a configuration, select the configuration you want to delete. Then cli {% note %} -**Note:** You can only use the {% data variables.code-scanning.tool_status_page %} to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." +**Note:** You can only use the {% data variables.code-scanning.tool_status_page %} to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." {% endnote %} @@ -109,7 +111,7 @@ For integrated tools such as {% data variables.product.prodname_codeql %}, you c - If the language has a high scanned percentage, this shows that code scanning is scanning that language as expected. - If the language has a low scanned percentage, you may wish to investigate diagnostic output produced by {% data variables.product.prodname_codeql %} for that language: for more information see "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected)." -- If the language has a scanned percentage of zero, you may have source code in your repository written in languages supported by {% data variables.product.prodname_codeql %} but not currently being analyzed with {% data variables.product.prodname_codeql %}. In this case, you may wish to update your setup to start analyzing these additional languages. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#changing-the-languages-that-are-analyzed)." +- If the language has a scanned percentage of zero, you may have source code in your repository written in languages supported by {% data variables.product.prodname_codeql %} but not currently being analyzed with {% data variables.product.prodname_codeql %}. In this case, you may wish to update your setup to start analyzing these additional languages. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed)." {% note %} diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites.md similarity index 74% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites.md rename to content/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites.md index f8e83e7024..6ad7a92060 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites.md @@ -5,6 +5,8 @@ intro: 'You can choose from different built-in {% data variables.product.prodnam product: '{% data reusables.gated-features.code-scanning %}' versions: feature: code-scanning-without-workflow +redirect_from: + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites type: reference topics: - Code scanning @@ -18,13 +20,13 @@ With {% data variables.product.prodname_codeql %} {% data variables.product.prod - the `default` query suite. - the `security-extended` query suite. This suite is referred to as the "Extended" query suite on {% data variables.product.prodname_dotcom %}. -Currently, both the `default` query suite and the `security-extended` query suite are available for default setup for {% data variables.product.prodname_code_scanning %}. {% ifversion bulk-code-scanning-query-suite %}Additionally, organization owners and security managers can recommend a query suite for use with default setup throughout their organization. For more information on configuring default setup for individual repositories, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)." For more information on configuring default setup at scale and recommending a query suite, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale)."{% else %}For more information on default setup, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale)."{% endif %} +Currently, both the `default` query suite and the `security-extended` query suite are available for default setup for {% data variables.product.prodname_code_scanning %}. {% ifversion bulk-code-scanning-query-suite %}Additionally, organization owners and security managers can recommend a query suite for use with default setup throughout their organization. For more information on configuring default setup for individual repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." For more information on configuring default setup at scale and recommending a query suite, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)."{% else %}For more information on default setup, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale)."{% endif %} -To use a custom query suite, you must configure advanced setup for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. For more information on advanced setups and creating a query suite, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)" and "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)." +To use a custom query suite, you must configure advanced setup for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. For more information on advanced setups and creating a query suite, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)" and "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)." ## Built-in {% data variables.product.prodname_codeql %} query suites -The built-in {% data variables.product.prodname_codeql %} query suites, `default` and `security-extended`, are created and maintained by {% data variables.product.prodname_dotcom %}. Both of these query suites are available for every {% data variables.product.prodname_codeql %}-supported language. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)." +The built-in {% data variables.product.prodname_codeql %} query suites, `default` and `security-extended`, are created and maintained by {% data variables.product.prodname_dotcom %}. Both of these query suites are available for every {% data variables.product.prodname_codeql %}-supported language. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql)." ### `default` query suite diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md new file mode 100644 index 0000000000..273e50e6f6 --- /dev/null +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md @@ -0,0 +1,43 @@ +--- +title: Editing your configuration of default setup +shortTitle: Edit default setup +intro: 'You can edit your existing configuration of default setup for {% data variables.product.prodname_code_scanning %} to better meet your code security needs.' +product: '{% data reusables.gated-features.code-scanning %}' +versions: + feature: code-scanning-without-workflow +type: how_to +topics: + - Code scanning + - CodeQL +--- + +## About editing your configuration of default setup + +After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit{% ifversion code-scanning-without-workflow-310 %}: +- which languages default setup will analyze. +- {% endif %} the query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/built-in-codeql-query-suites)." + +If you need to change any other aspects of your {% data variables.product.prodname_code_scanning %} configuration, consider configuring advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." + +{% ifversion code-scanning-without-workflow-310 %} +## Customizing your existing configuration of default setup + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.user-settings.security-analysis %} +1. In the "{% data variables.product.prodname_codeql %} analysis" row of the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" %} **View {% data variables.product.prodname_codeql %} configuration**. +1. In the "{% data variables.product.prodname_codeql %} default configuration" window, click {% octicon "pencil" aria-hidden="true" %} **Edit**. +1. Optionally, in the "Languages" section, select or deselect languages for analysis. +1. Optionally, in the "Query suites" section, select a different query suite to run against your code. +1. To update your configuration, as well as run an initial analysis of your code with the new configuration, click **Save changes**. All future analyses will use your new configuration. + +{% else %} +## Changing the selected query suite for your configuration of default setup + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.user-settings.security-analysis %} +1. In the "{% data variables.product.prodname_codeql %} analysis" row of the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" %} **View {% data variables.product.prodname_codeql %} configuration**. +1. In the "Query suites" row of the "{% data variables.product.prodname_codeql %} default configuration" window, select **QUERY SUITE** {% octicon "triangle-down" aria-hidden="true" %}, then click the new query suite for your {% data variables.product.prodname_code_scanning %} configuration to run. +1. To update your configuration of default setup, click **Enable {% data variables.product.prodname_codeql %}**. +{% endif %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md new file mode 100644 index 0000000000..28eaa06949 --- /dev/null +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md @@ -0,0 +1,20 @@ +--- +title: Managing your code scanning configuration +shortTitle: Manage code scanning +intro: 'You can manage your existing {% data variables.product.prodname_code_scanning %} configuration with the help of metrics and logging outputs generated by your analysis.' +product: '{% data reusables.gated-features.code-scanning %}' +versions: + fpt: '*' + ghec: '*' + ghes: '*' + ghae: '*' +topics: + - Advanced Security + - Code scanning + - CodeQL +children: + - /about-the-tool-status-page + - /editing-your-configuration-of-default-setup + - /built-in-codeql-query-suites + - /viewing-code-scanning-logs +--- diff --git a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md similarity index 86% rename from content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs.md rename to content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md index 12edfdc45e..acc37ec721 100644 --- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs.md @@ -5,6 +5,7 @@ product: '{% data reusables.gated-features.code-scanning %}' permissions: 'If you have write permissions to a repository, you can view the {% data variables.product.prodname_code_scanning %} logs for that repository.' redirect_from: - /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs + - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs versions: fpt: '*' ghes: '*' @@ -20,15 +21,15 @@ shortTitle: View code scanning logs ## About your {% data variables.product.prodname_code_scanning %} configuration -You can use a variety of tools to configure {% data variables.product.prodname_code_scanning %} in your repository. For more information, see {% ifversion code-scanning-without-workflow %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)" and {% endif %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +You can use a variety of tools to configure {% data variables.product.prodname_code_scanning %} in your repository. For more information, see {% ifversion code-scanning-without-workflow %}"[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and {% endif %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." -The log and diagnostic information available to you depends on the method you use for {% data variables.product.prodname_code_scanning %} in your repository. You can check the type of {% data variables.product.prodname_code_scanning %} you're using in the **Security** tab of your repository, by using the **Tool** drop-down menu in the alert list. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +The log and diagnostic information available to you depends on the method you use for {% data variables.product.prodname_code_scanning %} in your repository. You can check the type of {% data variables.product.prodname_code_scanning %} you're using in the **Security** tab of your repository, by using the **Tool** drop-down menu in the alert list. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." ## About analysis and diagnostic information You can see analysis and diagnostic information for {% data variables.product.prodname_code_scanning %} run using {% data variables.product.prodname_codeql %} analysis on {% data variables.product.prodname_dotcom %}. -Analysis information is shown for the most recent analysis in a header at the top of the list of alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +Analysis information is shown for the most recent analysis in a header at the top of the list of alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." Diagnostic information is displayed in the Action workflow logs and consists of summary metrics and extractor diagnostics. For information about accessing {% data variables.product.prodname_code_scanning %} logs on {% data variables.product.prodname_dotcom %}, see "[Viewing the logging output from {% data variables.product.prodname_code_scanning %}](#viewing-the-logging-output-from-code-scanning)" below. @@ -80,4 +81,4 @@ After configuring {% data variables.product.prodname_code_scanning %} for your r 1. Optionally, to see more detail about the commit that triggered the workflow run, click the short commit hash. The short commit hash is 7 lowercase characters immediately following the commit author's username. -1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." +1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)." diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/a-particular-language-is-causing-default-setup-to-fail.md b/content/code-security/code-scanning/troubleshooting-code-scanning/a-particular-language-is-causing-default-setup-to-fail.md index 10c3e2a4b2..86b70c151a 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/a-particular-language-is-causing-default-setup-to-fail.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/a-particular-language-is-causing-default-setup-to-fail.md @@ -14,6 +14,6 @@ To enable default setup when a language previously failed, you must reconfigure 1. In the "Security" section of the sidebar, click {% octicon "codescan" aria-hidden="true" %} **Code security and analysis**. 1. Navigate to the "{% data variables.product.prodname_code_scanning_caps %}" section. Then, in the error message reading "{% data variables.product.prodname_codeql %} default configuration **failed**", click **failed**. 1. In the "Jobs" section of the workflow run summary for default setup, identify any failing jobs associated with specific languages. These jobs will be labeled {% octicon "x-circle-fill" aria-label="failed" %} **Analyze (LANGUAGE)**. -1. Once you have determined which language-specific jobs are failing, configure default setup once more and deselect the failing languages for analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)." +1. Once you have determined which language-specific jobs are failing, configure default setup once more and deselect the failing languages for analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." - Alternatively, if you would like to analyze every language in your repository, you can configure advanced setup for {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." \ No newline at end of file + Alternatively, if you would like to analyze every language in your repository, you can configure advanced setup for {% data variables.product.prodname_code_scanning %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." \ No newline at end of file diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed-for-a-compiled-language.md b/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed-for-a-compiled-language.md index be23bb206b..8f94c3baf0 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed-for-a-compiled-language.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed-for-a-compiled-language.md @@ -14,7 +14,7 @@ versions: {% data reusables.code-scanning.beta %} {% data reusables.code-scanning.codeql-action-version-ghes %} -If an automatic build of code for a compiled language within your project fails, try removing the `autobuild` step from your {% data variables.product.prodname_code_scanning %} workflow and adding specific build steps. For more information about replacing the `autobuild` step, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +If an automatic build of code for a compiled language within your project fails, try removing the `autobuild` step from your {% data variables.product.prodname_code_scanning %} workflow and adding specific build steps. For more information about replacing the `autobuild` step, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." If your workflow doesn't explicitly specify the languages to analyze, {% data variables.product.prodname_codeql %} implicitly detects the supported languages in your code base. In this configuration, out of the compiled languages {% data variables.code-scanning.compiled_languages %}, {% data variables.product.prodname_codeql %} only analyzes the language with the most source files. Edit the workflow and add a matrix specifying the languages you want to analyze. The default {% data variables.product.prodname_codeql %} analysis workflow uses such a matrix. @@ -40,4 +40,4 @@ If your workflow doesn't explicitly specify the languages to analyze, {% data va languages: {% raw %}${{ matrix.language }}{% endraw %} ``` - For more information about editing the workflow, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning)." \ No newline at end of file + For more information about editing the workflow, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)." \ No newline at end of file diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/build-is-taking-too-long.md b/content/code-security/code-scanning/troubleshooting-code-scanning/build-is-taking-too-long.md index 5b274a2756..a1ccaf825d 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/build-is-taking-too-long.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/build-is-taking-too-long.md @@ -40,11 +40,11 @@ If your analysis is still too slow to be run during `push` or `pull_request` eve By default, there are three main query suites available for each language. If you have optimized the {% data variables.product.prodname_codeql %} database build and the process is still too long, you could reduce the number of queries you run. The default query suite is run automatically; it contains the fastest security queries with the lowest rates of false positive results. -You may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the `queries` element. You can experiment with disabling the additional query suite or queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-queries-in-ql-packs)." +You may be running extra queries or query suites in addition to the default queries. Check whether the workflow defines an additional query suite or additional queries to run using the `queries` element. You can experiment with disabling the additional query suite or queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." {% ifversion codeql-ml-queries %} {% note %} -**Note:** If you run the `security-extended` or `security-and-quality` query suite for JavaScript, then some queries use experimental technology. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-experimental-alerts)." +**Note:** If you run the `security-extended` or `security-and-quality` query suite for JavaScript, then some queries use experimental technology. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-experimental-alerts)." {% endnote %} {% endif %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected.md b/content/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected.md index 557d759163..0797a63141 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/codeql-scanned-fewer-lines-than-expected.md @@ -26,7 +26,7 @@ If your {% data variables.product.prodname_codeql %} analysis scans fewer lines ## Replace the `autobuild` step Replace the `autobuild` step with the same build commands you would use in production. This makes sure that {% data variables.product.prodname_codeql %} knows exactly how to compile all of the source files you want to scan. -For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." ## Inspect the copy of the source files in the {% data variables.product.prodname_codeql %} database diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md b/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md index 3c272364cf..78301d787e 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/enabling-default-setup-takes-too-long.md @@ -11,4 +11,4 @@ versions: If enabling your default setup is taking too long, try canceling the workflow run and restarting the configuration process. -To restart your configuration, navigate to the main page of your repository, then click {% octicon "play" aria-hidden="true" %} **Actions**. Click the **{% data variables.product.prodname_codeql %}** workflow run that's in progress, then click **Cancel workflow**. Once {% octicon "stop" aria-label="cancelled" %} appears beside the workflow run name, navigate back to the **Code security and analysis** settings and re-enable default setup. If default setup continues to stall, please contact {% data variables.contact.contact_support %} or try enabling advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." \ No newline at end of file +To restart your configuration, navigate to the main page of your repository, then click {% octicon "play" aria-hidden="true" %} **Actions**. Click the **{% data variables.product.prodname_codeql %}** workflow run that's in progress, then click **Cancel workflow**. Once {% octicon "stop" aria-label="cancelled" %} appears beside the workflow run name, navigate back to the **Code security and analysis** settings and re-enable default setup. If default setup continues to stall, please contact {% data variables.contact.contact_support %} or try enabling advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." \ No newline at end of file diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md b/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md index 2ee43172f4..e4c792fbfd 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md @@ -17,7 +17,7 @@ versions: If your workflow fails with `Error: "No source code was seen during the build"` or `The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32`, this indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code. There are six possible reasons for this: -1. The repository may not contain source code that is written in languages supported by {% data variables.product.prodname_codeql %}. Check the list of supported languages and, if this is the case, remove the {% data variables.product.prodname_codeql %} workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql) +1. The repository may not contain source code that is written in languages supported by {% data variables.product.prodname_codeql %}. Check the list of supported languages and, if this is the case, remove the {% data variables.product.prodname_codeql %} workflow. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql) 1. Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a `.h`, or `.gyp` file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by updating the list of languages in the `language` matrix. For example, the following configuration will analyze only Go, and JavaScript. @@ -32,7 +32,7 @@ If your workflow fails with `Error: "No source code was seen during the build"` For more information, see the workflow extract in "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed-for-a-compiled-language)". -1. Your {% data variables.product.prodname_code_scanning %} workflow is analyzing a compiled language (C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java), but the code was not compiled. By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step, however, this step represents a best effort process, and may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about specifying build steps, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +1. Your {% data variables.product.prodname_code_scanning %} workflow is analyzing a compiled language (C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java), but the code was not compiled. By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step, however, this step represents a best effort process, and may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about specifying build steps, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." 1. Your workflow is analyzing a compiled language (C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java), but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {% data variables.product.prodname_codeql %} observes the activity of the compiler to understand the data flows in a repository, {% data variables.product.prodname_codeql %} requires a complete build to take place in order to perform analysis. @@ -40,10 +40,10 @@ If your workflow fails with `Error: "No source code was seen during the build"` 1. Your compiled code (in C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java) was compiled successfully, but {% data variables.product.prodname_codeql %} was unable to detect the compiler invocations. The most common causes are: - - Running your build process in a separate container to {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container)." + - Running your build process in a separate container to {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container)." - Building using a distributed build system external to GitHub Actions, using a daemon process. - {% data variables.product.prodname_codeql %} isn't aware of the specific compiler you are using. If you encounter another problem with your specific compiler or configuration, contact {% data variables.contact.contact_support %}. -For more information about specifying build steps, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." \ No newline at end of file +For more information about specifying build steps, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." \ No newline at end of file diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md b/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md index 25bd1d22f8..c46f3b0ba1 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/out-of-disk-or-memory.md @@ -18,12 +18,12 @@ versions: {% ifversion ghes %} On very large projects, you may see `Error: "Out of disk"` or `Error: "Out of memory"` on self-hosted runners when running {% data variables.product.prodname_codeql %}. In this case, you may need to increase the memory or disk space available on your runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." -You can also review the recommended hardware resources for running {% data variables.product.prodname_codeql %} to make sure your self-hosted runners meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql)." +You can also review the recommended hardware resources for running {% data variables.product.prodname_codeql %} to make sure your self-hosted runners meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." {% else %} ## Use self-hosted runners -Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.company_short %}-hosted runners can provide. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." You can review the recommended hardware resources for running {% data variables.product.prodname_codeql %} to make sure your self-hosted runners meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/recommended-hardware-resources-for-running-codeql)." +Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.company_short %}-hosted runners can provide. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)." You can review the recommended hardware resources for running {% data variables.product.prodname_codeql %} to make sure your self-hosted runners meet those requirements. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/recommended-hardware-resources-for-running-codeql)." {% ifversion actions-hosted-runners %} ## Use larger runners diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/results-are-different-than-expected.md b/content/code-security/code-scanning/troubleshooting-code-scanning/results-are-different-than-expected.md index f903234120..e576ce5cbb 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/results-are-different-than-expected.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/results-are-different-than-expected.md @@ -14,7 +14,7 @@ If your {% data variables.product.prodname_code_scanning %} results are differen To check if default setup is enabled, navigate to the main page of the repository, then click {% octicon "gear" aria-hidden="true" %} **Settings**. In the "Security" section of the sidebar, click {% octicon "codescan" aria-hidden="true" %} **Code security and analysis**. In the "{% data variables.product.prodname_code_scanning_caps %}" section of the page, next to "{% data variables.product.prodname_codeql %} analysis", click {% octicon "kebab-horizontal" aria-label="Menu" %}. If there is a {% octicon "workflow" aria-hidden="true" %} **Switch to advanced** option, you are currently using default setup. -If you want to return to using advanced setup and get {% data variables.product.prodname_code_scanning %} results from your custom workflow file, click {% octicon "stop" aria-hidden="true" %} **Disable {% data variables.product.prodname_codeql %}** to disable default setup. Then you should re-enable your pre-existing workflows to start triggering and uploading results from advanced setup. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +If you want to return to using advanced setup and get {% data variables.product.prodname_code_scanning %} results from your custom workflow file, click {% octicon "stop" aria-hidden="true" %} **Disable {% data variables.product.prodname_codeql %}** to disable default setup. Then you should re-enable your pre-existing workflows to start triggering and uploading results from advanced setup. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/disabling-and-enabling-a-workflow)" and "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." {% ifversion remove-code-scanning-configurations %} {% data reusables.code-scanning.troubleshooting-multiple-configurations %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/results-differ-between-platforms.md b/content/code-security/code-scanning/troubleshooting-code-scanning/results-differ-between-platforms.md index b31b096b63..6a5c085218 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/results-differ-between-platforms.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/results-differ-between-platforms.md @@ -12,4 +12,4 @@ versions: If you are analyzing code written in Python, you may see different results depending on whether you run the {% data variables.code-scanning.codeql_workflow %} on Linux, macOS, or Windows. -On {% data variables.product.company_short %}-hosted runners that use Linux, the {% data variables.code-scanning.codeql_workflow %} tries to install and analyze Python dependencies, which could lead to different results than when you run the {% data variables.code-scanning.codeql_workflow %} on other platforms. To disable the auto-install, add `setup-python-dependencies: false` to the "Initialize CodeQL" step of the workflow. For more information about configuring the analysis of Python dependencies, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#analyzing-python-dependencies)." +On {% data variables.product.company_short %}-hosted runners that use Linux, the {% data variables.code-scanning.codeql_workflow %} tries to install and analyze Python dependencies, which could lead to different results than when you run the {% data variables.code-scanning.codeql_workflow %} on other platforms. To disable the auto-install, add `setup-python-dependencies: false` to the "Initialize {% data variables.product.prodname_codeql %}" step of the workflow. For more information about configuring the analysis of Python dependencies, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#analyzing-python-dependencies)." diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow-run.md b/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow-run.md index 97ef95e81b..520724f2c1 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow-run.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/unclear-what-triggered-a-workflow-run.md @@ -10,4 +10,4 @@ versions: {% data reusables.code-scanning.beta %} -For more information on viewing your last scan's log, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs#viewing-the-logging-output-from-code-scanning)." \ No newline at end of file +For more information on viewing your last scan's log, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs#viewing-the-logging-output-from-code-scanning)." \ No newline at end of file diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md b/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md index fbc4c88da2..1f5c62075b 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/unnecessary-step-found.md @@ -49,4 +49,4 @@ The revised `steps` section of the workflow will look like this: ... ``` -For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#editing-a-code-scanning-workflow)." +For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow)." diff --git a/content/code-security/code-scanning/troubleshooting-sarif/file-too-large.md b/content/code-security/code-scanning/troubleshooting-sarif/file-too-large.md index f18210116c..4be56f70a7 100644 --- a/content/code-security/code-scanning/troubleshooting-sarif/file-too-large.md +++ b/content/code-security/code-scanning/troubleshooting-sarif/file-too-large.md @@ -25,7 +25,7 @@ A fatal error occurred: SARIF file is too large 413: Payload Too Large ``` -One of these errors is reported if a process attempts to upload a SARIF file that is larger than the maximum size of 10 MB. {% data variables.product.prodname_code_scanning_caps %} does not accept files above this size. There are several different ways to reduce the number of results generated for upload to {% data variables.product.prodname_code_scanning %}. +One of these errors is reported if a process attempts to upload a SARIF file that is larger than the maximum size of 10 MB. {% data variables.product.prodname_code_scanning_caps %} does not accept files above this size. There are several different ways to reduce the number of results generated for upload to {% data variables.product.prodname_code_scanning %}. You could see this error for SARIF files generated by {% data variables.product.prodname_codeql %} or by third-party analysis tools. For information about the limits on uploads, see {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#validating-your-sarif-file)." @@ -51,11 +51,11 @@ If you have too many results, you should configure analysis to analyze only the ### Number of queries run -If you still have too many results, check how many queries you are using to analyze the code. Try running fewer queries. You can reintroduce additional queries when the initial alerts are fixed. For example, for {% data variables.product.prodname_codeql %} analysis you could run just the default suite of queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-queries-in-ql-packs)." +If you still have too many results, check how many queries you are using to analyze the code. Try running fewer queries. You can reintroduce additional queries when the initial alerts are fixed. For example, for {% data variables.product.prodname_codeql %} analysis you could run just the default suite of queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." ### Number of results found by queries -Sometimes a single query reports many results because the codebase has a specific coding style, or because the analysis does not understand a particular library. You can review the results file in a SARIF viewer to see the distribution of results. For example, https://microsoft.github.io/sarif-web-component/. +Sometimes a single query reports many results because the codebase has a specific coding style, or because the analysis does not understand a particular library. You can review the results file in a SARIF viewer to see the distribution of results. For example, https://microsoft.github.io/sarif-web-component/. - Check if the results are dominated by alerts identfied by a single query. Try excluding that query from analysis. You can reintroduce it when other alerts are fixed. For more information about {% data variables.product.prodname_codeql %} query configuration, see "[Excluding a query from analysis](#excluding-a-query-from-analysis)." - Check if there are dataflow queries with many deep paths. Try omitting dataflow paths from the output. For more information about {% data variables.product.prodname_codeql %} analysis configuration, see "[Omitting dataflow paths from the output](#omitting-dataflow-paths-from-the-output)." @@ -68,28 +68,28 @@ The following options are listed in order of complexity. You need to revise the Excluding non-production code from analysis is a simple way to reduce the size of the results file. -- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use `paths` and `paths-ignore` in the workflow file to specify what code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#specifying-directories-to-scan)." -- {% data variables.product.prodname_codeql_cli %} `database create`: create a YAML configuration file for code scanning using the same syntax to define which code to analyze. Update the `database create` command to call this configuration file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#specifying-directories-to-scan)." +- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use `paths` and `paths-ignore` in the workflow file to specify what code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." +- {% data variables.product.prodname_codeql_cli %} `database create`: create a YAML configuration file for code scanning using the same syntax to define which code to analyze. Update the `database create` command to call this configuration file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." ### Optimizing the build command -Using a build command that compiles only one variant is a simple way to reduce the size of the results file. +Using a build command that compiles only one variant is a simple way to reduce the size of the results file. -- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: update the workflow file to specify your chosen build command. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." +- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: update the workflow file to specify your chosen build command. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)." - {% data variables.product.prodname_codeql_cli %} `database create`: specify your chosen build command either by calling the `database create` command with the `--command` option, or by defining the build command in a YAML configuration file for code scanning and calling the file using the `--codescanning-config` option. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)." ### Defining the query suite to run You may already be running only the default security queries, but it is worth checking. -- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: check the workflow file for the `queries` keyword. If it is not present, then only the default query suite is run. If it is present, it defines which queries to run. Try commenting out this line of the workflow file. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-queries-in-ql-packs)." +- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: check the workflow file for the `queries` keyword. If it is not present, then only the default query suite is run. If it is present, it defines which queries to run. Try commenting out this line of the workflow file. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs)." - {% data variables.product.prodname_codeql_cli %} `database analyze`: check the database analysis command for any paths that specify queries, query suites, or query packs. If none are present, then only the default query suite is run. If any are present, they define which queries to run, you can try removing them from the call. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-codeql-query-pack)." ### Excluding a query from analysis -If the results are dominated by the results for a single rule, excluding the rule from the analysis may be the best solution. +If the results are dominated by the results for a single rule, excluding the rule from the analysis may be the best solution. -- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use the `query-filters` keyword to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#excluding-specific-queries-from-analysis)." +- {% data variables.product.prodname_codeql %} advanced setup for {% data variables.product.prodname_code_scanning %}: use the `query-filters` keyword to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#excluding-specific-queries-from-analysis)." - {% data variables.product.prodname_codeql_cli %} `database analyze`: update the database analysis command to exclude one or more queries from analysis. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-a-subset-of-queries-in-a-codeql-pack)." Alternatively, you can use a tool like the [filter-sarif](https://github.com/advanced-security/filter-sarif) action to rewrite the SARIF file to exclude specific detections via an exclusion pattern. diff --git a/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system.md b/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system.md index 7431069c63..df593fc332 100644 --- a/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system.md +++ b/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system.md @@ -28,7 +28,7 @@ redirect_from: ## About {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system -{% data reusables.code-scanning.about-code-scanning %} For information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)." +{% data reusables.code-scanning.about-code-scanning %} For information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." {% data reusables.code-scanning.codeql-context-for-actions-and-third-party-tools %} diff --git a/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system.md b/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system.md index 782837a9ab..ea4f309d19 100644 --- a/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system.md +++ b/content/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system.md @@ -75,7 +75,7 @@ You can display the command-line help for any command using the `--help``--db-cluster` | {% octicon "x" aria-label="Optional" %} | Use in multi-language codebases to generate one database for each language specified by `--language`. | | `--no-run-unnecessary-builds` | {% octicon "x" aria-label="Optional" %} | (Recommended) Use to suppress the build command for languages where the {% data variables.product.prodname_codeql_cli %} does not need to monitor the build (for example, Python and JavaScript/TypeScript). | | `--source-root` | {% octicon "x" aria-label="Optional" %} | Use if you run the CLI outside the checkout root of the repository. By default, the `database create` command assumes that the current directory is the root directory for the source files, use this option to specify a different location. | -| `--codescanning-config` | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-a-custom-configuration-file)" and "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile)." | +| `--codescanning-config` | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file)" and "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile)." | For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis)." @@ -157,7 +157,7 @@ codeql database analyze --format= \ | `--format` | {% octicon "check" aria-label="Required" %} | Specify the format for the results file generated by the command. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghae or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." | `--output` | {% octicon "check" aria-label="Required" %} | Specify where to save the SARIF results file. | `--sarif-category` | {% octicon "question" aria-label="Required with multiple results sets" %} | Optional for single database analysis. Required to define the language when you analyze multiple databases for a single commit in a repository.

Specify a category to include in the SARIF results file for this analysis. A category is used to distinguish multiple analyses for the same tool and commit, but performed on different languages or different parts of the code.|{% ifversion code-scanning-tool-status-page %} -| `--sarif-add-baseline-file-info` | {% octicon "x" aria-label="Optional" %} | (Recommended) Use to submit file coverage information to the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page#how-codeql-defines-scanned-files)." | {% endif %} +| `--sarif-add-baseline-file-info` | {% octicon "x" aria-label="Optional" %} | (Recommended) Use to submit file coverage information to the tool status page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files)." | {% endif %} | `--sarif-add-query-help` | {% octicon "x" aria-label="Optional" %} | Use if you want to include any available markdown-rendered query help for custom queries used in your analysis. Any query help for custom queries included in the SARIF output will be displayed in the code scanning UI if the relevant query generates an alert. For more information, see "[AUTOTITLE](/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-query-help-for-custom-codeql-queries-in-sarif-files)."{% ifversion codeql-packs %} | `` | {% octicon "x" aria-label="Optional" %} | Use if you want to include {% data variables.product.prodname_codeql %} query packs in your analysis. For more information, see "[Downloading and using {% data variables.product.prodname_codeql %} packs](#downloading-and-using-codeql-query-packs)." | `--download` | {% octicon "x" aria-label="Optional" %} | Use if some of your {% data variables.product.prodname_codeql %} query packs are not yet on disk and need to be downloaded before running queries.{% endif %} @@ -186,7 +186,7 @@ $ codeql database analyze /codeql-dbs/example-repo \ ### Adding file coverage information to your results for monitoring -You can optionally submit file coverage information to {% data variables.product.product_name %} for display on the tool status page for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page#how-codeql-defines-scanned-files)." +You can optionally submit file coverage information to {% data variables.product.product_name %} for display on the tool status page for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files)." To include file coverage information with your {% data variables.product.prodname_code_scanning %} results, add the `--sarif-add-baseline-file-info` flag to the `codeql database analyze` invocation in your CI system, for example: @@ -250,13 +250,13 @@ codeql github upload-results \ {% endif %} ``` -There is no output from this command unless the upload was unsuccessful. The command prompt returns when the upload is complete and data processing has begun. On smaller codebases, you should be able to explore the {% data variables.product.prodname_code_scanning %} alerts in {% data variables.product.product_name %} shortly afterward. You can see alerts directly in the pull request or on the **Security** tab for branches, depending on the code you checked out. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +There is no output from this command unless the upload was unsuccessful. The command prompt returns when the upload is complete and data processing has begun. On smaller codebases, you should be able to explore the {% data variables.product.prodname_code_scanning %} alerts in {% data variables.product.product_name %} shortly afterward. You can see alerts directly in the pull request or on the **Security** tab for branches, depending on the code you checked out. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." {% ifversion code-scanning-tool-status-page %} ## Uploading diagnostic information to {% data variables.product.product_name %} if the analysis fails -When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} tool status page for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)." +When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} tool status page for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." However, if `codeql database analyze` fails for any reason there is no SARIF file to upload to {% data variables.product.company_short %} and no diagnostic information to show on the {% data variables.product.prodname_code_scanning %} tool status page for the repository. This makes it difficult for users to troubleshoot analysis unless they have access to log files in your CI system. @@ -295,7 +295,7 @@ This is the same as the process for uploading SARIF files from successful analys {% data reusables.code-scanning.beta-codeql-packs-cli %} -The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries)." +The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql-queries)." Before you can use a {% data variables.product.prodname_codeql %} pack to analyze a database, you must download any packages you require from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}. This can be done either by using the `--download` flag as part of the `codeql database analyze` command. If a package is not publicly available, you will need to use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to authenticate. For more information and an example, see "[Uploading results to {% data variables.product.product_name %}](#uploading-results-to-github)" above. @@ -354,7 +354,7 @@ echo $OCTO-ORG_ACCESS_TOKEN | codeql pack download `, `--format`, and `--output`. You can specify addit | `--format` | {% octicon "check" aria-label="Required" %} | Specify the format for the results file generated during analysis. A number of different formats are supported, including CSV, [SARIF](https://codeql.github.com/docs/codeql-overview/codeql-glossary/#sarif-file), and graph formats. For upload to {% data variables.product.company_short %} this should be: {% ifversion fpt or ghae or ghec %}`sarif-latest`{% else %}`sarifv2.1.0`{% endif %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)." | `--output` | {% octicon "check" aria-label="Required" %} | Specify where to save the SARIF results file. | `--sarif-category` | {% octicon "question" aria-label="Required with multiple results sets" %} | Optional for single database analysis. Required to define the language when you analyze multiple databases for a single commit in a repository.

Specify a category to include in the SARIF results file for this analysis. A category is used to distinguish multiple analyses for the same tool and commit, but performed on different languages or different parts of the code.|{% ifversion code-scanning-tool-status-page %} -| `--sarif-add-baseline-file-info` | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to submit file coverage information to the {% data variables.code-scanning.tool_status_page %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page#how-codeql-defines-scanned-files)." | {% endif %} +| `--sarif-add-baseline-file-info` | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to submit file coverage information to the {% data variables.code-scanning.tool_status_page %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files)." | {% endif %} | `--sarif-add-query-help` | {% octicon "x" aria-label="Optional" %} | Use if you want to include any available markdown-rendered query help for custom queries used in your analysis. Any query help for custom queries included in the SARIF output will be displayed in the code scanning UI if the relevant query generates an alert. For more information, see "[Including query help for custom {% data variables.product.prodname_codeql %} queries in SARIF files](#including-query-help-for-custom-codeql-queries-in-sarif-files)."{% ifversion codeql-packs %} | `` | {% octicon "x" aria-label="Optional" %} | Use if you want to include {% data variables.product.prodname_codeql %} query packs in your analysis. For more information, see "[Downloading and using {% data variables.product.prodname_codeql %} query packs](/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#downloading-and-using-codeql-query-packs)." | `--download` | {% octicon "x" aria-label="Optional" %} | Use if some of your {% data variables.product.prodname_codeql %} query packs are not yet on disk and need to be downloaded before running queries.{% endif %} @@ -132,7 +132,7 @@ $ codeql database analyze /codeql-dbs/example-repo \ {% ifversion code-scanning-tool-status-page %} ### Adding file coverage information to your results for monitoring -You can optionally submit file coverage information to {% data variables.product.product_name %} for display on the {% data variables.code-scanning.tool_status_page %} for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page#how-codeql-defines-scanned-files)." +You can optionally submit file coverage information to {% data variables.product.product_name %} for display on the {% data variables.code-scanning.tool_status_page %} for {% data variables.product.prodname_code_scanning %}. For more information about file coverage information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#how-codeql-defines-scanned-files)." To include file coverage information with your {% data variables.product.prodname_code_scanning %} results, add the `--sarif-add-baseline-file-info` flag to the `codeql database analyze` invocation in your CI system, for example: @@ -325,7 +325,7 @@ If the analysis found fewer results for standard queries than you expected, revi ### Integrating a {% data variables.product.prodname_codeql %} pack into a code scanning workflow in {% data variables.product.prodname_dotcom %} You can use {% data variables.product.prodname_codeql %} query packs in your code scanning setup. This allows you to select query packs published by various sources and use them to analyze your code. -For more information, see "[Using {% data variables.product.prodname_codeql %} query packs in the {% data variables.product.prodname_codeql %} action](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-codeql-query-packs/)" or "[Downloading and using {% data variables.product.prodname_codeql %} query packs in your CI system](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#downloading-and-using-codeql-query-packs)." +For more information, see "[Using {% data variables.product.prodname_codeql %} query packs in the {% data variables.product.prodname_codeql %} action](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-codeql-query-packs/)" or "[Downloading and using {% data variables.product.prodname_codeql %} query packs in your CI system](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#downloading-and-using-codeql-query-packs)." ### Including query help for custom {% data variables.product.prodname_codeql %} queries in SARIF files diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md index 639ba17700..892ede4808 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs.md @@ -49,7 +49,7 @@ their own top-level directories. {% data reusables.code-scanning.beta-codeql-packs-cli %} -The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries)." +The {% data variables.product.prodname_codeql_cli %} bundle includes queries that are maintained by {% data variables.product.company_short %} experts, security researchers, and community contributors. If you want to run queries developed by other organizations, {% data variables.product.prodname_codeql %} query packs provide an efficient and reliable way to download and run queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql-queries)." Before you can use a {% data variables.product.prodname_codeql %} pack to analyze a database, you must download any packages you require from the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %}. This can be done either by using the `--download` flag as part of the `codeql database analyze` command. If a package is not publicly available, you will need to use a {% data variables.product.prodname_github_app %} or {% data variables.product.pat_generic %} to authenticate. For more information and an example, see "[Uploading results to {% data variables.product.product_name %}](#uploading-results-to-github)". @@ -73,9 +73,9 @@ For more information about pack compatibility, see "[AUTOTITLE](/code-security/c This example runs the `codeql database analyze` command with the `--download` option to: 1. Download the latest version of the `octo-org/security-queries` pack. -2. Download a version of the `octo-org/optional-security-queries` pack that is _compatible_ with version 1.0.1 (in this case, it is version 1.0.2). For more information on semver compatibility, see [npm's semantic version range documentation](https://github.com/npm/node-semver#ranges). -3. Run all the default queries in `octo-org/security-queries`. -4. Run only the query `queries/csrf.ql` from `octo-org/optional-security-queries` +1. Download a version of the `octo-org/optional-security-queries` pack that is _compatible_ with version 1.0.1 (in this case, it is version 1.0.2). For more information on semver compatibility, see [npm's semantic version range documentation](https://github.com/npm/node-semver#ranges). +1. Run all the default queries in `octo-org/security-queries`. +1. Run only the query `queries/csrf.ql` from `octo-org/optional-security-queries` ```shell $ echo $OCTO-ORG_ACCESS_TOKEN | codeql database analyze --download /codeql-dbs/example-repo \ @@ -108,7 +108,7 @@ echo $OCTO-ORG_ACCESS_TOKEN | codeql pack download `--db-cluster` | {% octicon "x" aria-label="Optional" %} | Use in multi-language codebases to generate one database for each language specified by `--language`. | | `--no-run-unnecessary-builds` | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to suppress the build command for languages where the {% data variables.product.prodname_codeql_cli %} does not need to monitor the build (for example, Python and JavaScript/TypeScript). | | `--source-root` | {% octicon "x" aria-label="Optional" %} | Use if you run the CLI outside the checkout root of the repository. By default, the `database create` command assumes that the current directory is the root directory for the source files, use this option to specify a different location. | -| `--codescanning-config` | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#using-a-custom-configuration-file)" and "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile)." | +| `--codescanning-config` | {% octicon "x" aria-label="Optional" %} | Advanced. Use if you have a configuration file that specifies how to create the {% data variables.product.prodname_codeql %} databases and what queries to run in later steps. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-a-custom-configuration-file)" and "[AUTOTITLE](/code-security/codeql-cli/codeql-cli-manual/database-create#--codescanning-configfile)." | You can specify extractor options to customize the behavior of extractors that create {% data variables.product.prodname_codeql %} databases. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/extractor-options)." @@ -275,7 +275,7 @@ The following examples are designed to give you an idea of some of the build com - Swift project built from an Xcode project or workspace. By default, the largest Swift target is built: It's a good idea to ensure that the project is in a clean state and that there are no build artefacts available. - + ```shell xcodebuild clean -all codeql database create -l swift swift-database diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md index 87e8102484..8a7278600f 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/uploading-codeql-analysis-results-to-github.md @@ -73,12 +73,12 @@ codeql github upload-results \ {% endif %} ``` -There is no output from this command unless the upload was unsuccessful. The command prompt returns when the upload is complete and data processing has begun. On smaller codebases, you should be able to explore the {% data variables.product.prodname_code_scanning %} alerts in {% data variables.product.product_name %} shortly afterward. You can see alerts directly in the pull request or on the **Security** tab for branches, depending on the code you checked out. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)." +There is no output from this command unless the upload was unsuccessful. The command prompt returns when the upload is complete and data processing has begun. On smaller codebases, you should be able to explore the {% data variables.product.prodname_code_scanning %} alerts in {% data variables.product.product_name %} shortly afterward. You can see alerts directly in the pull request or on the **Security** tab for branches, depending on the code you checked out. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." {% ifversion code-scanning-tool-status-page %} ## Uploading diagnostic information to {% data variables.product.product_name %} if the analysis fails -When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page)." +When {% data variables.product.prodname_codeql_cli %} finishes analyzing a database successfully, it gathers diagnostic information such as file coverage, warnings, and errors, and includes it in the SARIF file with the results. When you upload the SARIF file to {% data variables.product.company_short %} the diagnostic information is displayed on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository to make it easy to see how well {% data variables.product.prodname_codeql %} is working and debug any problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page)." However, if `codeql database analyze` fails for any reason there is no SARIF file to upload to {% data variables.product.company_short %} and no diagnostic information to show on the {% data variables.product.prodname_code_scanning %} {% data variables.code-scanning.tool_status_page %} for the repository. This makes it difficult for users to troubleshoot analysis unless they have access to log files in your CI system. diff --git a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md index ddff8495f6..4fbc7087ea 100644 --- a/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md +++ b/content/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs.md @@ -246,7 +246,7 @@ The following properties are supported in `qlpack.yml` files. exclude: precision: medium ``` - + #### `library` - Required by library packs. @@ -281,7 +281,7 @@ The following properties are supported in `qlpack.yml` files. - Optional. - Defines metadata that will be displayed on the packaging search page in the packages section of the account that the {% data variables.product.prodname_codeql %} pack is published to. For example: ```yaml - authors: author1@github.com,author2@github.com + authors: author1@github.com,author2@github.com ``` #### `license` @@ -302,7 +302,7 @@ The following properties are supported in `qlpack.yml` files. - Optional, deprecated. Use the `dependencies` property instead. - Previously used to define the names of any {% data variables.product.prodname_codeql %} packs that this {% data variables.product.prodname_codeql %} pack depends on, as an array. This gives the pack access to any libraries, database schema, and query suites defined in the dependency. For example: ```yaml - libraryPathDependencies: codeql/javascript-all + libraryPathDependencies: codeql/javascript-all ``` #### `dbscheme` @@ -356,7 +356,7 @@ In most cases, the `codeql-pack.lock.yml` file is only relevant for query packs ## Examples of custom {% data variables.product.prodname_codeql %} packs -When you write custom queries or tests, you should save them in custom {% data variables.product.prodname_codeql %} packs. For simplicity, try to organize each pack logically. For more information, see "[{% data variables.product.prodname_codeql %} pack structure](#codeql-pack-structure)." Save files for queries and tests in separate packs and, where possible, organize custom packs into specific folders for each target language. This is particularly useful if you intend to publish your {% data variables.product.prodname_codeql %} packs so they can be shared with others or used in code scanning. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)." +When you write custom queries or tests, you should save them in custom {% data variables.product.prodname_codeql %} packs. For simplicity, try to organize each pack logically. For more information, see "[{% data variables.product.prodname_codeql %} pack structure](#codeql-pack-structure)." Save files for queries and tests in separate packs and, where possible, organize custom packs into specific folders for each target language. This is particularly useful if you intend to publish your {% data variables.product.prodname_codeql %} packs so they can be shared with others or used in code scanning. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)." ### {% data variables.product.prodname_codeql %} packs for custom libraries diff --git a/content/code-security/getting-started/auditing-security-alerts.md b/content/code-security/getting-started/auditing-security-alerts.md index c174a31068..10de63fde5 100644 --- a/content/code-security/getting-started/auditing-security-alerts.md +++ b/content/code-security/getting-started/auditing-security-alerts.md @@ -88,6 +88,6 @@ For more information, see "[{% data variables.product.prodname_code_scanning_cap ## Further reading -- [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository) +- [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository) - [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts) - [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) diff --git a/content/code-security/getting-started/github-security-features.md b/content/code-security/getting-started/github-security-features.md index 042e676f52..e499b21b77 100644 --- a/content/code-security/getting-started/github-security-features.md +++ b/content/code-security/getting-started/github-security-features.md @@ -109,7 +109,7 @@ Many {% data variables.product.prodname_GH_advanced_security %} features are ava ### {% data variables.product.prodname_code_scanning_caps %} -Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)." +Automatically detect security vulnerabilities and coding errors in new or modified code. Potential problems are highlighted, with detailed information, allowing you to fix the code before it's merged into your default branch. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." ### {% data variables.secret-scanning.user_alerts_caps %} diff --git a/content/code-security/getting-started/securing-your-repository.md b/content/code-security/getting-started/securing-your-repository.md index 339de9a8f4..45b1df2636 100644 --- a/content/code-security/getting-started/securing-your-repository.md +++ b/content/code-security/getting-started/securing-your-repository.md @@ -114,7 +114,7 @@ To enable {% data variables.product.prodname_dependabot_version_updates %}, you ## Configuring {% data variables.product.prodname_code_scanning %} -You can configure {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.code-scanning.codeql_workflow %} or third-party tool.{% ifversion code-scanning-without-workflow %} Depending on the programming languages in your repository, you can configure {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} using default setup, in which {% data variables.product.prodname_dotcom %} automatically determines the languages to scan, query suites to run, and events that will trigger a new scan. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)."{% else %} For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)."{% endif %} +You can configure {% data variables.product.prodname_code_scanning %} to automatically identify vulnerabilities and errors in the code stored in your repository by using a {% data variables.code-scanning.codeql_workflow %} or third-party tool.{% ifversion code-scanning-without-workflow %} Depending on the programming languages in your repository, you can configure {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} using default setup, in which {% data variables.product.prodname_dotcom %} automatically determines the languages to scan, query suites to run, and events that will trigger a new scan. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)."{% else %} For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)."{% endif %} {% ifversion code-scanning-without-workflow %} @@ -123,7 +123,7 @@ You can configure {% data variables.product.prodname_code_scanning %} to automat 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section, select **Set up** {% octicon "triangle-down" aria-hidden="true" %}, then click **Default**. 1. In the pop-up window that appears, review the default configuration settings for your repository, then click **Enable {% data variables.product.prodname_codeql %}**. -Alternatively, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." +Alternatively, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." {% endif %} @@ -152,7 +152,7 @@ For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-s ## Next steps -You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts),"{% endif %} {% ifversion fpt or ghec or ghes %}"[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)," {% endif %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)," and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)". +You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts),"{% endif %} {% ifversion fpt or ghec or ghes %}"[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)," {% endif %}"[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)," and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)". You can also use {% data variables.product.prodname_dotcom %}'s tools to audit responses to security alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)". diff --git a/content/code-security/guides.md b/content/code-security/guides.md index 155d527a95..768e33ba27 100644 --- a/content/code-security/guides.md +++ b/content/code-security/guides.md @@ -36,20 +36,20 @@ includeGuides: - /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection - /code-security/secret-scanning/secret-scanning-patterns - /code-security/secret-scanning/troubleshooting-secret-scanning - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests - - /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/viewing-code-scanning-logs + - /code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists + - /code-security/code-scanning/introduction-to-code-scanning/about-code-scanning + - /code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts + - /code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql + - /code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning + - /code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + - /code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository + - /code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container + - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning + - /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale + - /code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning + - /code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale + - /code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests + - /code-security/code-scanning/managing-your-code-scanning-configuration/viewing-code-scanning-logs - /code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning - /code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning - /code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github diff --git a/content/code-security/index.md b/content/code-security/index.md index 55cd9e4b75..aa1ebdcaa5 100644 --- a/content/code-security/index.md +++ b/content/code-security/index.md @@ -9,13 +9,13 @@ featuredLinks: - /code-security/getting-started/securing-your-repository - /code-security/getting-started/securing-your-organization - '{% ifversion fpt or ghec %}/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory{% endif %}' - - '{% ifversion code-scanning-without-workflow %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning{% endif %}' - - '{% ifversion ghes < 3.9 or ghae < 3.9 %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning{% endif %}' + - '{% ifversion code-scanning-without-workflow %}/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning{% endif %}' + - '{% ifversion ghes < 3.9 or ghae < 3.9 %}/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning{% endif %}' guideCards: - '{% ifversion fpt or ghec or ghes %}/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates{% endif %}' - '{% ifversion fpt or ghec or ghes %}/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates{% endif %}' - - '{% ifversion code-scanning-without-workflow %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning{% endif %}' - - '{% ifversion ghes < 3.9 or ghae < 3.9 %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning{% endif %}' + - '{% ifversion code-scanning-without-workflow %}/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning{% endif %}' + - '{% ifversion ghes < 3.9 or ghae < 3.9 %}/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning{% endif %}' - '{% ifversion ghae %}/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories{% endif %}' - '{% ifversion ghae %}/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github{% endif %}' - '{% ifversion ghae %}/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system{% endif %}' @@ -29,8 +29,8 @@ featuredLinks: - /code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot - '{% ifversion ghae %}/code-security/secret-scanning/about-secret-scanning{% endif %}' - /code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies - - '{% ifversion ghae %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/codeql-code-scanning-for-compiled-languages{% endif %}' - - '{% ifversion ghae %}/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/running-codeql-code-scanning-in-a-container{% endif %}' + - '{% ifversion ghae %}/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages{% endif %}' + - '{% ifversion ghae %}/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container{% endif %}' changelog: label: security-and-compliance versions: diff --git a/content/code-security/security-overview/about-security-overview.md b/content/code-security/security-overview/about-security-overview.md index 61d0ca6dd9..1b8514ca8a 100644 --- a/content/code-security/security-overview/about-security-overview.md +++ b/content/code-security/security-overview/about-security-overview.md @@ -76,7 +76,7 @@ Each repository is shown in security overview with an indicator for each type of | Indicator | Meaning | | -------- | -------- | -| {% octicon "code-square" aria-label="Code scanning alerts" %} | {% data variables.product.prodname_code_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)." | +| {% octicon "code-square" aria-label="Code scanning alerts" %} | {% data variables.product.prodname_code_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." | | {% octicon "key" aria-label="Secret scanning alerts" %} | {% data variables.product.prodname_secret_scanning_caps %} alerts. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." | | {% octicon "hubot" aria-label="Dependabot alerts" %} | {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)." | | {% octicon "check" aria-label="Enabled" %} | The security feature is enabled, but does not raise alerts in this repository. | diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md index 770bdc31c7..941601fec3 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md @@ -53,7 +53,7 @@ As a first step, you want to make a complete inventory of your dependencies. The ### Automatic detection of vulnerabilities in pull requests -The {% data variables.dependency-review.action_name %} enforces a dependency review on your pull requests, making it easy for you to see if a pull request will introduce a vulnerable version of a dependency to your repository. When a vulnerability is detected, the {% data variables.dependency-review.action_name %} can block the pull request from merging. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)."{% endif %} +The {% data variables.dependency-review.action_name %} enforces a dependency review on your pull requests, making it easy for you to see if a pull request will introduce a vulnerable version of a dependency to your repository. When a vulnerability is detected, the {% data variables.dependency-review.action_name %} can block the pull request from merging. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)."{% endif %} ### Assessment of exposure to risk from a vulnerable dependency @@ -116,7 +116,7 @@ You can improve the quality and security of your code by ensuring that all pull ### Scan your code for vulnerable patterns -Insecure code patterns are often difficult for reviewers to spot unaided. In addition to scanning your code for secrets, you can check it for patterns that are associated with security vulnerabilities. For example, a function that isn't memory-safe, or failing to escaping user input that could lead to an injection vulnerability. {% data variables.product.prodname_dotcom %} offers several different ways to approach both how and when you scan your code. To get started, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)." +Insecure code patterns are often difficult for reviewers to spot unaided. In addition to scanning your code for secrets, you can check it for patterns that are associated with security vulnerabilities. For example, a function that isn't memory-safe, or failing to escaping user input that could lead to an injection vulnerability. {% data variables.product.prodname_dotcom %} offers several different ways to approach both how and when you scan your code. To get started, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." ## Next steps diff --git a/content/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms.md b/content/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms.md index c49e782e0e..a6320ab192 100644 --- a/content/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms.md +++ b/content/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms.md @@ -49,7 +49,6 @@ You can set the following top-level keys for each issue form. | `title` | A default title that will be pre-populated in the issue submission form. | Optional | String |{% ifversion projects-in-issue-forms %} | `projects` | Projects that any issues created with this template will automatically be added to. | Optional | Array or comma-delimited string |{% endif %} - For the available `body` input types and their syntaxes, see "[AUTOTITLE](/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema)." ## Converting a Markdown issue template to a YAML issue form template diff --git a/content/copilot/github-copilot-chat/using-github-copilot-chat.md b/content/copilot/github-copilot-chat/using-github-copilot-chat.md index bb9c1f06c7..1c7c3f4d93 100644 --- a/content/copilot/github-copilot-chat/using-github-copilot-chat.md +++ b/content/copilot/github-copilot-chat/using-github-copilot-chat.md @@ -38,7 +38,7 @@ To use {% data variables.product.prodname_copilot_chat %}, you must first instal ![Screenshot of the {% data variables.product.prodname_copilot_chat %} extension in the Extensions Marketplace.](/assets/images/help/copilot/vscode-extension-search.png) -1. In the {% data variables.product.prodname_vscode %} window, click **Reload required** to update {% data variables.product.prodname_vscode %}. +1. In the {% data variables.product.prodname_vscode %} window, click **Reload required** to update {% data variables.product.prodname_vscode %}. 1. If you are prompted to sign in by a toast notification in the bottom right corner of {% data variables.product.prodname_vscode %}, click **Sign in to {% data variables.product.prodname_dotcom %}** and sign in with the same {% data variables.product.prodname_dotcom %} ID that has been granted access to the {% data variables.product.prodname_copilot_chat %} limited public beta. 1. Follow the prompts in {% data variables.product.prodname_vscode %} and on {% data variables.product.prodname_dotcom %} in your browser to complete the sign in and authentication process. 1. To confirm that {% data variables.product.prodname_copilot_chat %} has been successfully installed, in the activity bar on the left side of the {% data variables.product.prodname_vscode %} window, click the **{% data variables.product.prodname_copilot_chat %}** icon to open the {% data variables.product.prodname_copilot_chat %} chat window. @@ -63,7 +63,7 @@ To use {% data variables.product.prodname_copilot_chat %}, you must first instal 1. {% data variables.product.prodname_copilot_chat %} will process your question and provide an answer, with code suggestions when appropriate, in the chat window. If your question is outside the scope of {% data variables.product.prodname_copilot_chat %}, it will tell you and may suggest an alternative question to ask. - + 1. Optionally, if {% data variables.product.prodname_copilot_chat %} suggests a follow-up question above the **Ask {% data variables.product.prodname_copilot_short %} a question or type `/` for topics** text box, click the follow-up question to ask it. ## Using code suggestions from {% data variables.product.prodname_copilot_chat %} @@ -78,7 +78,7 @@ When {% data variables.product.prodname_copilot_chat %} provides code suggestion - To copy the code suggestion to your clipboard, click the **Copy** icon. - To insert the code suggestion into your code at the current location of your cursor, click the **Insert at Cursor** icon. - To view additional options, click the **...** icon. - - To create a new file and insert the suggestion into it, click **Insert Into New File**. + - To create a new file and insert the suggestion into it, click **Insert Into New File**. - To run the code suggestion in the {% data variables.product.prodname_vscode %} terminal, click **Run in Terminal**. ## Asking {% data variables.product.prodname_copilot_chat %} questions about your code @@ -112,7 +112,6 @@ To share feedback about {% data variables.product.prodname_copilot_chat %}, you {% endvscode %} - {% visualstudio %} ## About {% data variables.product.prodname_copilot_chat %} and {% data variables.product.prodname_vs %} @@ -123,7 +122,7 @@ To share feedback about {% data variables.product.prodname_copilot_chat %}, you {% data reusables.copilot.chat-subscription-prerequisite %} -- To use {% data variables.product.prodname_copilot_chat %} with {% data variables.product.prodname_vs %}, you must be running {% data variables.product.prodname_vs %} 2022 version 17.6 or higher. For more information, see the [Visual Studio IDE](https://visualstudio.microsoft.com/vs/) documentation. +- To use {% data variables.product.prodname_copilot_chat %} with {% data variables.product.prodname_vs %}, you must be running {% data variables.product.prodname_vs %} 2022 version 17.6 or higher. For more information, see the [Visual Studio IDE](https://visualstudio.microsoft.com/vs/) documentation. - To use {% data variables.product.prodname_copilot_chat %} with {% data variables.product.prodname_vs %}, you must be signed into {% data variables.product.prodname_vs %} with the same {% data variables.product.prodname_dotcom %} ID that has been granted access to the {% data variables.product.prodname_copilot_chat %} limited public beta. @@ -131,7 +130,7 @@ To share feedback about {% data variables.product.prodname_copilot_chat %}, you ## Installing the {% data variables.product.prodname_vs %} extension -To use {% data variables.product.prodname_copilot_chat %} with {% data variables.product.prodname_vs %}, you must install the {% data variables.product.prodname_vs %} extension. +To use {% data variables.product.prodname_copilot_chat %} with {% data variables.product.prodname_vs %}, you must install the {% data variables.product.prodname_vs %} extension. {% data reusables.copilot.vs-extensions %} 1. In the "Manage Extensions" window, click **Visual Studio Marketplace**, search for "{% data variables.product.prodname_copilot_chat %}", then click **Download**. {% data reusables.copilot.vs-exit-and-relaunch %} @@ -180,7 +179,6 @@ To share feedback about {% data variables.product.prodname_copilot_chat %}, you - To report a bug, click **Report a problem**. - To request a feature, click **Suggest a feature**. - ## Further reading - [AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-copilot-pre-release-terms) diff --git a/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/checking-out-a-commit-in-github-desktop.md b/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/checking-out-a-commit-in-github-desktop.md index 1f3eb36d04..498b6821cf 100644 --- a/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/checking-out-a-commit-in-github-desktop.md +++ b/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/checking-out-a-commit-in-github-desktop.md @@ -10,7 +10,7 @@ versions: Checking out a commit allows you to view your repository in a previous state without needing to create a new branch or modify an existing branch. This can be helpful when debugging since it allows you to see if a bug exists in your repository at a previous commit. -Checking out a commit puts your repository in a "detached HEAD" state. In Git terminology "HEAD" is the reference that points to the tip, or latest commit, of a named branch in your repository. A "detached HEAD" state means that HEAD refers to a specific commit, but not on a named branch in your repository. +Checking out a commit puts your repository in a "detached HEAD" state. In Git terminology "HEAD" is the reference that points to the tip, or latest commit, of a named branch in your repository. A "detached HEAD" state means that HEAD refers to a specific commit, but not on a named branch in your repository. {% note %} @@ -18,13 +18,12 @@ Checking out a commit puts your repository in a "detached HEAD" state. In Git te {% endnote %} - ## Checking out a commit {% data reusables.desktop.history-tab %} 1. Right-click on the commit you would like to checkout and select **Checkout commit**. ![Screenshot of a list of commits in the "History" tab. Next to a commit, in a context menu, the "Checkout Commit" option is highlighted with an orange outline.](/assets/images/help/desktop/checkout-commit.png) -1. The {% octicon "git-branch" aria-hidden="true" %} **Current Branch** item in the repository bar will now show "Detached HEAD", along with the SHA of the commit that was checked out. +1. The {% octicon "git-branch" aria-hidden="true" %} **Current Branch** item in the repository bar will now show "Detached HEAD", along with the SHA of the commit that was checked out. ![Screenshot of the repository bar. The "Current Branch" item shows a "Detached HEAD" state and is highlighted with an orange outline.](/assets/images/help/desktop/branch-item.png) 1. To exit the "detached HEAD" state you will need to switch branches. For more information, see "[AUTOTITLE](/desktop/contributing-and-collaborating-using-github-desktop/making-changes-in-a-branch/managing-branches-in-github-desktop#switching-between-branches)." @@ -40,7 +39,7 @@ The `git reflog` command will show the output of events that have happened in yo 22fa76c125 HEAD@{2}: checkout: moving from main to 22fa76c1250a2847305b9325752d941dbaa55983 ``` -The `8bd5e736a2 HEAD@{1}: commit: testing out a feature` line is the commit that we want to recover, since it was made while the repository was in a "detached HEAD" state. To recover it you can run `git cherry-pick 8bd5e736a2` to apply the commit to the current branch in your repository. +The `8bd5e736a2 HEAD@{1}: commit: testing out a feature` line is the commit that we want to recover, since it was made while the repository was in a "detached HEAD" state. To recover it you can run `git cherry-pick 8bd5e736a2` to apply the commit to the current branch in your repository. ## Further reading diff --git a/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/cherry-picking-a-commit-in-github-desktop.md b/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/cherry-picking-a-commit-in-github-desktop.md index 721718b320..26e206e681 100644 --- a/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/cherry-picking-a-commit-in-github-desktop.md +++ b/content/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/cherry-picking-a-commit-in-github-desktop.md @@ -1,6 +1,6 @@ --- title: Cherry-picking a commit in GitHub Desktop -shortTitle: Cherry-picking +shortTitle: Cherry-picking intro: 'You can use {% data variables.product.prodname_desktop %} to pick a specific commit on one branch and copy the commit to another branch.' versions: feature: desktop @@ -22,7 +22,7 @@ You can also use cherry-picking when collaborating with a team. Some projects in ![Screenshot of the "Current Branch" dropdown view. Under "Recent Branches", a branch, named "my-feature", is highlighted with an orange outline.](/assets/images/help/desktop/select-branch-from-dropdown.png) {% data reusables.desktop.history-tab %} -1. Select the commit you would like to cherry-pick. +1. Select the commit you would like to cherry-pick. {% mac %} @@ -35,12 +35,11 @@ You can also use cherry-picking when collaborating with a team. Some projects in You can select one commit or select multiple commits using Ctrl or Shift. {% endwindows %} - + 1. Right-click the selected commit and click **Cherry pick commit**, then select the branch that you want to copy the commit to. You can also drag the commit that you want to cherry-pick from the "History" tab to the {% octicon "git-branch" aria-hidden="true" %} **Current Branch** dropdown menu, then drop the commit on the branch that you want to copy the commit to. ![Screenshot of the "History" tab and the "Current Branch" dropdown view. The cursor hovers over the "my-feature" branch, and "plus one" icons indicate the addition of one commit.](/assets/images/help/desktop/cherry-picking.png) - ## Further reading - [git-cherry-pick](https://git-scm.com/docs/git-cherry-pick) in the Git documentation diff --git a/content/desktop/installing-and-configuring-github-desktop/configuring-and-customizing-github-desktop/configuring-a-default-editor-in-github-desktop.md b/content/desktop/installing-and-configuring-github-desktop/configuring-and-customizing-github-desktop/configuring-a-default-editor-in-github-desktop.md index 8a02f2d7ee..db3ee8b225 100644 --- a/content/desktop/installing-and-configuring-github-desktop/configuring-and-customizing-github-desktop/configuring-a-default-editor-in-github-desktop.md +++ b/content/desktop/installing-and-configuring-github-desktop/configuring-and-customizing-github-desktop/configuring-a-default-editor-in-github-desktop.md @@ -113,7 +113,7 @@ If you want to open another repository in the default editor, you can use the re {% mac %} **Tip:** You can use the Shift+Command+A keyboard shortcut to open a repository in the default editor. - + {% endmac %} {% windows %} @@ -127,5 +127,4 @@ If you want to open another repository in the default editor, you can use the re ## Opening a file in the default editor 1. Navigate to the "Changes" tab in the left sidebar. -2. Double-click on the file, or right-click on the file and select **Open in default editor**. - \ No newline at end of file +1. Double-click on the file, or right-click on the file and select **Open in default editor**. diff --git a/content/get-started/learning-about-github/about-github-advanced-security.md b/content/get-started/learning-about-github/about-github-advanced-security.md index 302930cc3d..d45eb7a216 100644 --- a/content/get-started/learning-about-github/about-github-advanced-security.md +++ b/content/get-started/learning-about-github/about-github-advanced-security.md @@ -34,7 +34,7 @@ shortTitle: GitHub Advanced Security A {% data variables.product.prodname_GH_advanced_security %} license provides the following additional features: -- **{% data variables.product.prodname_code_scanning_caps %}** - Search for potential security vulnerabilities and coding errors in your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)." +- **{% data variables.product.prodname_code_scanning_caps %}** - Search for potential security vulnerabilities and coding errors in your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)." - **{% data variables.product.prodname_secret_scanning_caps %}** - Detect secrets, for example keys and tokens, that have been checked into {% ifversion fpt %} private repositories{% else %} the repository{% endif %}. {% ifversion fpt%}{% data variables.secret-scanning.user_alerts_caps %} and {% data variables.secret-scanning.partner_alerts %} are available and free of charge for public repositories on {% data variables.product.prodname_dotcom_the_website %}.{% endif %}{% ifversion secret-scanning-push-protection %} If push protection is enabled, also detects secrets when they are pushed to your repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."{% else %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)."{% endif %} @@ -106,7 +106,7 @@ If you have an enterprise account, license use for the entire enterprise is show {% data reusables.advanced-security.starter-workflows-beta %} {% data reusables.advanced-security.starter-workflow-overview %} -For more information on starter workflows, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)" and "[AUTOTITLE](/actions/using-workflows/using-starter-workflows)." +For more information on starter workflows, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)" and "[AUTOTITLE](/actions/using-workflows/using-starter-workflows)." {% endif %} diff --git a/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md b/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md index 270d350974..69b2b3ab42 100644 --- a/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md +++ b/content/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists.md @@ -79,4 +79,4 @@ Any issues that are referenced in a task list specify that they are tracked by t ## Further reading {% ifversion code-scanning-task-lists %} -- "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists)"{% endif %} +- "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists)"{% endif %} diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization.md index 743d5c335f..af7bfba6db 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization.md @@ -531,7 +531,7 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett | `advanced_security_enabled` | Triggered when a repository administrator enables {% data variables.product.prodname_GH_advanced_security %} features for the repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository).". | `archived` | Triggered when a repository admin [archives a repository](/repositories/archiving-a-github-repository/archiving-repositories). {%- ifversion remove-code-scanning-configurations %} -| `code_scanning_configuration_for_branch_deleted` | Triggered when a {% data variables.product.prodname_code_scanning %} configuration for a branch of a repository is deleted. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." +| `code_scanning_configuration_for_branch_deleted` | Triggered when a {% data variables.product.prodname_code_scanning %} configuration for a branch of a repository is deleted. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." {%- endif %} {%- ifversion ghes %} | `config.disable_anonymous_git_access` | Triggered when [anonymous Git read access is disabled](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/enabling-anonymous-git-read-access-for-a-repository) in a public repository. diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md index 32021e5da1..c8180447cc 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md @@ -52,7 +52,7 @@ You can enable or disable features for all repositories. - **{% data variables.product.prodname_secret_scanning_caps %}** - Your changes affect {% ifversion fpt %}public repositories and public npm packages these repositories may depend on.{% endif %}{% ifversion ghec %}public repositories, and private or internal repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %} This option controls whether or not {% data variables.secret-scanning.user_alerts %} are enabled. {% data variables.secret-scanning.partner_alerts_caps %} always runs on all public repositories. {%- ifversion org-enable-code-scanning %} -- **{% data variables.product.prodname_code_scanning_caps %}** - Your changes affect {% ifversion fpt %}public repositories{% elsif ghec %}public repositories, and private or internal repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled{% elsif ghes or ghae %}repositories that are eligible for default setup using {% data variables.product.prodname_codeql %} where {% data variables.product.prodname_GH_advanced_security %} is enabled{% endif %}. {% data reusables.code-scanning.default-setup-info-link %} For repositories that are not eligible for default setup, you can configure advanced setup at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +- **{% data variables.product.prodname_code_scanning_caps %}** - Your changes affect {% ifversion fpt %}public repositories{% elsif ghec %}public repositories, and private or internal repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled{% elsif ghes or ghae %}repositories that are eligible for default setup using {% data variables.product.prodname_codeql %} where {% data variables.product.prodname_GH_advanced_security %} is enabled{% endif %}. {% data reusables.code-scanning.default-setup-info-link %} For repositories that are not eligible for default setup, you can configure advanced setup at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." {%- endif %} {% endif %} @@ -94,7 +94,7 @@ You can use security overview to find a set of repositories and enable or disabl **Notes:** - {% data reusables.code-scanning.limitation-org-enable-all %}{% ifversion bulk-code-scanning-query-suite %} - - Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale##configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}."{% endif %} + - Enabling {% data variables.product.prodname_code_scanning %} for all eligible repositories in an organization will not override existing {% data variables.product.prodname_code_scanning %} configurations. For information on configuring default setup with different settings for specific repositories, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning){% ifversion code-security-multi-repo-enablement %}" and "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#configuring-default-setup-for-a-subset-of-repositories-in-an-organization){% endif %}."{% endif %} {% endnote %} {% endif %} diff --git a/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md b/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md index 7908eccf59..a2ad1579c4 100644 --- a/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md +++ b/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md @@ -165,8 +165,8 @@ In this section, you can find the access required for security features, such as | Manage access to {% data variables.product.prodname_GH_advanced_security %} features (see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)") | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion fpt or ghec %} | [Enable the dependency graph](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository) for a private repository | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion ghes or ghae or ghec %} | [View dependency reviews](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |{% endif %} -| [View {% data variables.product.prodname_code_scanning %} alerts on pull requests](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| [List, dismiss, and delete {% data variables.product.prodname_code_scanning %} alerts](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +| [View {% data variables.product.prodname_code_scanning %} alerts on pull requests](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | +| [List, dismiss, and delete {% data variables.product.prodname_code_scanning %} alerts](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | | [View and dismiss {% data variables.secret-scanning.alerts %} in a repository](/code-security/secret-scanning/managing-alerts-from-secret-scanning) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %}{% ifversion not ghae %}{% endif %} | {% octicon "check" aria-label="Yes" %}{% ifversion not ghae %}{% endif %} | {% octicon "check" aria-label="Yes" %} |{% ifversion ghes or ghae or ghec %} | [Resolve, revoke, or re-open {% data variables.secret-scanning.alerts %}](/code-security/secret-scanning/managing-alerts-from-secret-scanning) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %}{% ifversion not ghae %}{% endif %} | {% octicon "check" aria-label="Yes" %}{% ifversion not ghae %}{% endif %} | {% octicon "check" aria-label="Yes" %} |{% endif %}{% ifversion ghes or ghae or ghec %} | [Designate additional people or teams to receive {% data variables.secret-scanning.alerts %}](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) in repositories | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |{% endif %} diff --git a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/viewing-a-pull-request-review.md b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/viewing-a-pull-request-review.md index f223e22b27..37ce4dd53f 100644 --- a/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/viewing-a-pull-request-review.md +++ b/content/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/viewing-a-pull-request-review.md @@ -29,4 +29,4 @@ When you view a full review, you'll see the same version of the pull request as - "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews)" - "[AUTOTITLE](/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request)" -- "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)" +- "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)" diff --git a/data/reusables/actions/oidc-endpoints.md b/data/reusables/actions/oidc-endpoints.md index c691b32cb3..b3ac2713cd 100644 --- a/data/reusables/actions/oidc-endpoints.md +++ b/data/reusables/actions/oidc-endpoints.md @@ -1,3 +1,3 @@ - You must enable the following publicly accessible endpoints: - - `https:///_services/token/.well-known/openid-configuration` - - `https:///_services/token/.well-known/jwks` + - `https:///_services/token/.well-known/openid-configuration` + - `https:///_services/token/.well-known/jwks` diff --git a/data/reusables/actions/starter-workflow-categories.md b/data/reusables/actions/starter-workflow-categories.md index 9e44915564..09a7604296 100644 --- a/data/reusables/actions/starter-workflow-categories.md +++ b/data/reusables/actions/starter-workflow-categories.md @@ -1,5 +1,5 @@ {% data variables.product.prodname_dotcom %} provides ready-to-use starter workflows for the following high level categories: - **Deployment (CD)**. For more information, see "[AUTOTITLE](/actions/deployment/about-deployments/about-continuous-deployment)." -{% ifversion fpt or ghec %}- **Security**. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)."{% endif %} +{% ifversion fpt or ghec %}- **Security**. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-actions)."{% endif %} - **Continuous Integration (CI)**. For more information, see "[AUTOTITLE](/actions/automating-builds-and-tests/about-continuous-integration)." - **Automation**. Automation starter workflows offer solutions for automating workflows, such as triaging pull requests and applying a label based on the paths that are modified in the pull request, or greeting users who are first time contributors to the repository. diff --git a/data/reusables/actions/workflows/required-workflow-source-notes.md b/data/reusables/actions/workflows/required-workflow-source-notes.md index b340bc2452..5326d2ad8d 100644 --- a/data/reusables/actions/workflows/required-workflow-source-notes.md +++ b/data/reusables/actions/workflows/required-workflow-source-notes.md @@ -1,7 +1,7 @@ - Required workflows can be stored in any repository folder and are not restricted to the `.github/workflows` folder like normal workflows. If a required workflow calls a reusable workflow, the reusable workflow must be stored in the `.github/workflows` folder. When calling a reusable workflow, a required workflow must use the full path and ref to the reusable workflow. For example, `{owner}/{repo}/.github/workflows/{filename}@{ref}`. - If the required workflow is contained in a private {% ifversion ghes or ghec or ghae %}or internal {% endif %}repository, you must ensure that workflows within the repository are accessible by other repositories in your organization. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-access-for-a-private-repository){% ifversion ghes or ghec or ghae %}" and "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository){% endif %}." - Workflows stored in a public repository can be configured as required workflows for any repository in your organization. Workflows stored in a private repository can only be configured as required workflows for other private repositories in your organization. {% ifversion ghes or ghec or ghae %} Workflows stored in internal repositories can be configured as required workflows for internal and private repositories in your organization.{% endif %} -- {% data variables.product.prodname_codeql %} is not supported in required workflows because {% data variables.product.prodname_codeql %} requires configuration at the repository level. For information on configuring code scanning, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning)." +- {% data variables.product.prodname_codeql %} is not supported in required workflows because {% data variables.product.prodname_codeql %} requires configuration at the repository level. For information on configuring code scanning, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." {% ifversion actions-required-workflow-improvements %} {% ifversion fpt or ghec %} - To push to a branch where required workflows are enforced at the organizational level, create a pull request to make the necessary changes. You cannot push directly to branches with required workflow enforcements. diff --git a/data/reusables/apps/app-scans.md b/data/reusables/apps/app-scans.md index 84085943e7..b7b74e71f2 100644 --- a/data/reusables/apps/app-scans.md +++ b/data/reusables/apps/app-scans.md @@ -1 +1 @@ -You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." +You should conduct regular vulnerability scans for your app. For example, you might set up code scanning and secret scanning for the repository that hosts your app's code. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)" and "[AUTOTITLE](/code-security/secret-scanning/about-secret-scanning)." diff --git a/data/reusables/code-scanning/about-multiple-configurations-link.md b/data/reusables/code-scanning/about-multiple-configurations-link.md index 2142d6ec2f..05231d2ba4 100644 --- a/data/reusables/code-scanning/about-multiple-configurations-link.md +++ b/data/reusables/code-scanning/about-multiple-configurations-link.md @@ -1,5 +1,5 @@ {% ifversion remove-code-scanning-configurations %} -If you run code scanning using multiple configurations, the same alert will sometimes be generated by more than one configuration. If an alert comes from multiple configurations, you can view the status of the alert for each configuration on the alert page. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-alerts-from-multiple-configurations)." +If you run code scanning using multiple configurations, the same alert will sometimes be generated by more than one configuration. If an alert comes from multiple configurations, you can view the status of the alert for each configuration on the alert page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alerts-from-multiple-configurations)." {% else %} -If you run code scanning using multiple configurations, an alert will sometimes have multiple analysis origins. If an alert has multiple analysis origins, you can view the status of the alert for each analysis origin on the alert page. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-analysis-origins)." +If you run code scanning using multiple configurations, an alert will sometimes have multiple analysis origins. If an alert has multiple analysis origins, you can view the status of the alert for each analysis origin on the alert page. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-analysis-origins)." {% endif %} diff --git a/data/reusables/code-scanning/alert-tracking-link.md b/data/reusables/code-scanning/alert-tracking-link.md index 913052e046..7d210ce989 100644 --- a/data/reusables/code-scanning/alert-tracking-link.md +++ b/data/reusables/code-scanning/alert-tracking-link.md @@ -1,2 +1,2 @@ -For more information about creating issues to track {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists)." +For more information about creating issues to track {% data variables.product.prodname_code_scanning %} alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/tracking-code-scanning-alerts-in-issues-using-task-lists)." diff --git a/data/reusables/code-scanning/alerts-found-in-generated-code.md b/data/reusables/code-scanning/alerts-found-in-generated-code.md index bfd09dd3aa..71a2bf2180 100644 --- a/data/reusables/code-scanning/alerts-found-in-generated-code.md +++ b/data/reusables/code-scanning/alerts-found-in-generated-code.md @@ -1,3 +1,3 @@ For compiled languages like Java,{% ifversion codeql-kotlin-beta %} Kotlin, {% endif %}{% ifversion codeql-go-autobuild %} Go,{% endif %} C, C++, and C#, {% data variables.product.prodname_codeql %} analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a `run` block. You can combine specifying your own build steps with using the `paths` or `paths-ignore` filters on the `pull_request` and `push` events to ensure that your workflow only runs when specific code is changed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." -For languages like{% ifversion codeql-go-autobuild %}{% else %} Go,{% endif %} JavaScript, Python, and TypeScript, that {% data variables.product.prodname_codeql %} analyzes without compiling the source code, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#specifying-directories-to-scan)." +For languages like{% ifversion codeql-go-autobuild %}{% else %} Go,{% endif %} JavaScript, Python, and TypeScript, that {% data variables.product.prodname_codeql %} analyzes without compiling the source code, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." diff --git a/data/reusables/code-scanning/codeql-query-suites-explanation.md b/data/reusables/code-scanning/codeql-query-suites-explanation.md index 02807be97c..242c2c8c0b 100644 --- a/data/reusables/code-scanning/codeql-query-suites-explanation.md +++ b/data/reusables/code-scanning/codeql-query-suites-explanation.md @@ -6,4 +6,4 @@ Each of these query suites contains a different subset of the queries included i You can identify which query suites a query is included in by browsing the [CodeQL query help documentation](https://codeql.github.com/codeql-query-help/). For each query, any suites that it is included in are displayed at the top of the page with the query metadata. For example: [Arbitrary file write during zip extraction (”Zip Slip”)](https://codeql.github.com/codeql-query-help/javascript/js-zipslip/) and [Client-side request forgery](https://codeql.github.com/codeql-query-help/javascript/js-client-side-request-forgery/). -When you specify a query suite, the {% data variables.product.prodname_codeql %} analysis engine will run the default set of queries and any extra queries defined in the additional query suite. {% ifversion codeql-ml-queries %}The `security-extended` and `security-and-quality` query suites for JavaScript contain experimental queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-experimental-alerts)."{% endif %} +When you specify a query suite, the {% data variables.product.prodname_codeql %} analysis engine will run the default set of queries and any extra queries defined in the additional query suite. {% ifversion codeql-ml-queries %}The `security-extended` and `security-and-quality` query suites for JavaScript contain experimental queries. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-experimental-alerts)."{% endif %} diff --git a/data/reusables/code-scanning/default-setup-info-link.md b/data/reusables/code-scanning/default-setup-info-link.md index 74de406bc0..4efb25b86c 100644 --- a/data/reusables/code-scanning/default-setup-info-link.md +++ b/data/reusables/code-scanning/default-setup-info-link.md @@ -1 +1 @@ -For information about eligible repositories, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning-at-scale#eligible-repositories-default-setup). +For information about eligible repositories, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale#eligible-repositories-default-setup). diff --git a/data/reusables/code-scanning/enabling-options.md b/data/reusables/code-scanning/enabling-options.md index 2000a7e09f..eb010bc5c6 100644 --- a/data/reusables/code-scanning/enabling-options.md +++ b/data/reusables/code-scanning/enabling-options.md @@ -1,6 +1,6 @@ {% ifversion code-scanning-without-workflow %} -- **{% data variables.product.prodname_codeql %}**: Uses {% data variables.product.prodname_actions %} with either default setup (see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning)") or advanced setup (see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)"), or runs {% data variables.product.prodname_codeql %} analysis in a third-party continuous integration (CI) system (see "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system)"). +- **{% data variables.product.prodname_codeql %}**: Uses {% data variables.product.prodname_actions %} with either default setup (see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)") or advanced setup (see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)"), or runs {% data variables.product.prodname_codeql %} analysis in a third-party continuous integration (CI) system (see "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system)"). {% else %} - **{% data variables.product.prodname_codeql %}**: Uses {% data variables.product.prodname_actions %} (see below) or runs {% data variables.product.prodname_codeql %} analysis in a third-party continuous integration (CI) system (see "[AUTOTITLE](/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system)"). {% endif %} -- **Third‑party**: Uses {% data variables.product.prodname_actions %} {% ifversion fpt or ghec %}(see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-workflows)") {% endif %}or third-party tools and uploads results to {% data variables.product.product_name %} (see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)"). +- **Third‑party**: Uses {% data variables.product.prodname_actions %} {% ifversion fpt or ghec %}(see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-code-scanning-using-third-party-workflows)") {% endif %}or third-party tools and uploads results to {% data variables.product.product_name %} (see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)"). diff --git a/data/reusables/code-scanning/github-issues-integration.md b/data/reusables/code-scanning/github-issues-integration.md index f5bf57c55a..4699380975 100644 --- a/data/reusables/code-scanning/github-issues-integration.md +++ b/data/reusables/code-scanning/github-issues-integration.md @@ -1,3 +1 @@ -{% data variables.product.prodname_code_scanning_caps %} alerts integrate with task lists in {% data variables.product.prodname_github_issues %} to make it easy for you to prioritize and track alerts with all your development work. For more information about issues, see "[AUTOTITLE](/issues/tracking-your-work-with-issues/about-issues)." - -To track a code scanning alert in an issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see "[AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists)." +{% data variables.product.prodname_code_scanning_caps %} alerts integrate with task lists in {% data variables.product.prodname_github_issues %} to make it easy for you to prioritize and track alerts with all your development work. To track a code scanning alert in an issue, add the URL for the alert as a task list item in the issue. For more information about task lists, see "[AUTOTITLE](/get-started/writing-on-github/working-with-advanced-formatting/about-task-lists)." diff --git a/data/reusables/code-scanning/run-additional-queries.md b/data/reusables/code-scanning/run-additional-queries.md index 86fd747704..434762021a 100644 --- a/data/reusables/code-scanning/run-additional-queries.md +++ b/data/reusables/code-scanning/run-additional-queries.md @@ -9,7 +9,7 @@ You can also specify the queries you want to exclude from analysis, or include i {% endif %} {% ifversion codeql-packs %} -You can run extra queries if they are part of a {% data variables.product.prodname_codeql %} pack (beta) published to the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %} or a {% data variables.product.prodname_ql %} pack stored in a repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries)." +You can run extra queries if they are part of a {% data variables.product.prodname_codeql %} pack (beta) published to the {% data variables.product.company_short %} {% data variables.product.prodname_container_registry %} or a {% data variables.product.prodname_ql %} pack stored in a repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql-queries)." The options available to specify the additional queries you want to run are: @@ -18,7 +18,7 @@ The options available to specify the additional queries you want to run are: You can use both `packs` and `queries` in the same workflow. {% else %} -Any additional queries you want to run must belong to a {% data variables.product.prodname_ql %} pack in a repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries)." +Any additional queries you want to run must belong to a {% data variables.product.prodname_ql %} pack in a repository. For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql-queries)." You can specify a single _.ql_ file, a directory containing multiple _.ql_ files, a _.qls_ query suite definition file, or any combination. For more information about query suite definitions, see "[Creating {% data variables.product.prodname_codeql %} query suites](https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/)." {% endif %} diff --git a/data/reusables/code-scanning/troubleshooting-multiple-configurations.md b/data/reusables/code-scanning/troubleshooting-multiple-configurations.md index b7eb85ac08..d7e1360726 100644 --- a/data/reusables/code-scanning/troubleshooting-multiple-configurations.md +++ b/data/reusables/code-scanning/troubleshooting-multiple-configurations.md @@ -1 +1 @@ -In some cases, your repository may use multiple {% data variables.product.prodname_code_scanning %} configurations. These configurations can generate duplicate alerts. Additionally, stale configurations that no longer run will display outdated alert statuses, and the stale alerts will stay open indefinitely. To avoid outdated alerts, you should remove stale {% data variables.product.prodname_code_scanning %} configurations from a branch. For more information on multiple configurations and deleting stale configurations, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-alerts#about-alerts-from-multiple-configurations)" and "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." +In some cases, your repository may use multiple {% data variables.product.prodname_code_scanning %} configurations. These configurations can generate duplicate alerts. Additionally, stale configurations that no longer run will display outdated alert statuses, and the stale alerts will stay open indefinitely. To avoid outdated alerts, you should remove stale {% data variables.product.prodname_code_scanning %} configurations from a branch. For more information on multiple configurations and deleting stale configurations, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-alerts-from-multiple-configurations)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch)." diff --git a/data/reusables/supported-languages/products-table-header.md b/data/reusables/supported-languages/products-table-header.md index 81a3b1012d..da6b84e18e 100644 --- a/data/reusables/supported-languages/products-table-header.md +++ b/data/reusables/supported-languages/products-table-header.md @@ -1,4 +1,4 @@ -{% ifversion fpt or ghec %}| [GitHub Copilot](/copilot/overview-of-github-copilot/about-github-copilot-for-individuals#about-github-copilot) | [Code navigation](/repositories/working-with-files/using-files/navigating-code-on-github) | [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) | [Dependency graph, {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems) | [{% data variables.product.prodname_dependabot_version_updates %}, {% data variables.product.prodname_dependabot_security_updates %}](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems) | [{% data variables.product.prodname_actions %}](/actions/automating-builds-and-tests/about-continuous-integration#supported-languages) | [{% data variables.product.prodname_registry %}](/packages/learn-github-packages/introduction-to-github-packages#supported-clients-and-formats) | -| :-- | :-: | :-: | :-: | :-: | :-: | :-: | :-: |{% elsif ghes %}| [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) | [Dependency graph, {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems) {% ifversion ghes %}| [{% data variables.product.prodname_dependabot_version_updates %}, {% data variables.product.prodname_dependabot_security_updates %}](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems){% endif %} | [{% data variables.product.prodname_actions %}](/actions/automating-builds-and-tests/about-continuous-integration#supported-languages) | [{% data variables.product.prodname_registry %}](/packages/learn-github-packages/introduction-to-github-packages#supported-clients-and-formats) | -| :-- | :-: | :-: {% ifversion ghes %}| :-: {% endif %}| :-: | :-: |{% elsif ghae %}| [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) | [{% data variables.product.prodname_actions %}](/actions/automating-builds-and-tests/about-continuous-integration#supported-languages) | [{% data variables.product.prodname_registry %}](/packages/learn-github-packages/introduction-to-github-packages#supported-clients-and-formats) | +{% ifversion fpt or ghec %}| [GitHub Copilot](/copilot/overview-of-github-copilot/about-github-copilot-for-individuals#about-github-copilot) | [Code navigation](/repositories/working-with-files/using-files/navigating-code-on-github) | [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) | [Dependency graph, {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems) | [{% data variables.product.prodname_dependabot_version_updates %}, {% data variables.product.prodname_dependabot_security_updates %}](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems) | [{% data variables.product.prodname_actions %}](/actions/automating-builds-and-tests/about-continuous-integration#supported-languages) | [{% data variables.product.prodname_registry %}](/packages/learn-github-packages/introduction-to-github-packages#supported-clients-and-formats) | +| :-- | :-: | :-: | :-: | :-: | :-: | :-: | :-: |{% elsif ghes %}| [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) | [Dependency graph, {% data variables.product.prodname_dependabot_alerts %}](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems) {% ifversion ghes %}| [{% data variables.product.prodname_dependabot_version_updates %}, {% data variables.product.prodname_dependabot_security_updates %}](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#supported-repositories-and-ecosystems){% endif %} | [{% data variables.product.prodname_actions %}](/actions/automating-builds-and-tests/about-continuous-integration#supported-languages) | [{% data variables.product.prodname_registry %}](/packages/learn-github-packages/introduction-to-github-packages#supported-clients-and-formats) | +| :-- | :-: | :-: {% ifversion ghes %}| :-: {% endif %}| :-: | :-: |{% elsif ghae %}| [{% data variables.product.prodname_code_scanning_caps %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning) | [{% data variables.product.prodname_actions %}](/actions/automating-builds-and-tests/about-continuous-integration#supported-languages) | [{% data variables.product.prodname_registry %}](/packages/learn-github-packages/introduction-to-github-packages#supported-clients-and-formats) | | :-- | :-: | :-: | :-: |{% endif %} diff --git a/src/redirects/lib/static/redirect-exceptions.txt b/src/redirects/lib/static/redirect-exceptions.txt index b6b7d7e67f..9b4c05dd10 100644 --- a/src/redirects/lib/static/redirect-exceptions.txt +++ b/src/redirects/lib/static/redirect-exceptions.txt @@ -26,16 +26,16 @@ - /github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account # As seen in PR 38572 we want specific versions to redirect to different articles -/enterprise-server@3.8/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning +/enterprise-server@3.8/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning - /enterprise-server@3.8/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository -/enterprise-server@3.7/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning +/enterprise-server@3.7/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning - /enterprise-server@3.7/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository -/enterprise-server@3.6/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning +/enterprise-server@3.6/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning - /enterprise-server@3.6/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository -/github-ae@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning +/github-ae@latest/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning - /github-ae@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository /billing/managing-your-github-billing-settings/redeeming-a-coupon