11 KiB
title, shortTitle, intro, allowTitleToDifferFromFilename, product, redirect_from, versions, type, topics
| title | shortTitle | intro | allowTitleToDifferFromFilename | product | redirect_from | versions | type | topics | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| {% ifversion ghes %}Configuring code scanning for your appliance{% elsif default-setup-self-hosted-runners-GHEC %}Configuring self-hosted runners for code scanning in your enterprise{% endif %} | Configuring code scanning | You can enable, configure, and disable {% data variables.product.prodname_code_scanning %} for your enterprise{% ifversion default-setup-self-hosted-runners-GHEC %} without {% data variables.product.prodname_dotcom %}-hosted runners{% endif %}. {% data variables.product.prodname_code_scanning_caps %} allows users to scan code for vulnerabilities and errors. | true | {% data reusables.gated-features.code-scanning %} |
|
|
how_to |
|
{% ifversion ghes %}
About {% data variables.product.prodname_code_scanning %}
{% data reusables.code-scanning.about-code-scanning %}
You can configure {% data variables.product.prodname_code_scanning %} to run {% data variables.product.prodname_codeql %} analysis and third-party analysis. {% data variables.product.prodname_code_scanning_caps %} also supports running analysis natively using {% data variables.product.prodname_actions %} or externally using existing CI/CD infrastructure. The bullets below summarize the options available to users when you configure {% data variables.location.product_location_enterprise %} to allow {% data variables.product.prodname_code_scanning %} using actions.
{% data reusables.code-scanning.enabling-options %}
Checking whether your license includes {% data variables.product.prodname_AS %}
{% data reusables.advanced-security.check-for-ghas-license %}
Prerequisites for {% data variables.product.prodname_code_scanning %}
-
A license for {% ifversion ghas-products %}{% data variables.product.prodname_GH_code_security %} or {% endif %}{% data variables.product.prodname_GHAS %}, (see AUTOTITLE)
-
{% data variables.product.prodname_code_scanning_caps %} enabled in the management console (see AUTOTITLE)
-
A VM or container for {% data variables.product.prodname_code_scanning %} analysis to run in.
Running {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_actions %}
Provisioning a self-hosted runner
{% elsif default-setup-self-hosted-runners-GHEC %}
Provisioning a self-hosted runner
Note
- If your enterprise uses {% data variables.product.prodname_dotcom %}-hosted runners with {% data variables.product.prodname_actions %}, proceed directly to configuring {% data variables.product.prodname_code_scanning %} through {% data variables.product.prodname_dotcom_the_website %}. See AUTOTITLE and AUTOTITLE.
- With the exception of Swift analysis, default setup can now run on {% data variables.actions.hosted_runners %}. See AUTOTITLE and AUTOTITLE.
{% endif %}
{% data variables.product.github %} can run {% data variables.product.prodname_code_scanning %} using a {% data variables.product.prodname_actions %} workflow. First, you need to provision one or more self-hosted {% data variables.product.prodname_actions %} runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. See AUTOTITLE and AUTOTITLE.
{% ifversion default-setup-self-hosted-runners-GHEC %} If you are provisioning a self-hosted runner for {% data variables.product.prodname_codeql %} analysis, your runner must use a {% data variables.product.prodname_codeql %}-supported operating system version and CPU architecture. See the {% data variables.product.prodname_codeql %} system requirements.
If you are using default setup for {% data variables.product.prodname_code_scanning %}, you can assign self-hosted runners {% ifversion code-scanning-default-setup-customize-labels %}with the default code-scanning label, or you can optionally give them custom labels so that individual repositories can use different runners.{% else %}with the code-scanning label.{% endif %} See AUTOTITLE.
For information about using default setup for code scanning analysis of compiled languages, see AUTOTITLE.
{% endif %}
You must ensure that Git is in the PATH variable on any self-hosted runners you use to run {% data variables.product.prodname_codeql %} actions.
{% ifversion default-setup-self-hosted-runners-GHEC or ghes %}
Note
If you use {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} to analyze code written in Python in your enterprise, you must make sure that your self-hosted runner has Python 3 installed.
{% endif %}
{% ifversion ghes %}
Provisioning a runner scale set
You can use {% data variables.product.prodname_actions_runner_controller %} to create a dedicated runner scale set for your {% data variables.product.prodname_ghe_server %} instance. See AUTOTITLE.
Provisioning the actions for {% data variables.product.prodname_code_scanning %}
If you want to use actions to run {% data variables.product.prodname_code_scanning %} on {% data variables.product.prodname_ghe_server %}, the actions must be available on your appliance.
The {% data variables.product.prodname_codeql %} action is included in your installation of {% data variables.product.prodname_ghe_server %}. If both {% data variables.product.prodname_ghe_server %} {{ allVersions[currentVersion].currentRelease }} and your {% data variables.product.prodname_actions %} runner have access to the internet, the action will automatically download the {% data variables.product.prodname_codeql %} {% data variables.product.codeql_cli_ghes_recommended_version %} bundle required to perform analysis. Alternatively, you can use a synchronization tool to make the latest released version of the {% data variables.product.prodname_codeql %} analysis bundle available locally. See Configuring {% data variables.product.prodname_codeql %} analysis on a server without internet access below.
You can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. See AUTOTITLE below.
Configuring {% data variables.product.prodname_codeql %} analysis on a server without internet access
If the server on which you are running {% data variables.product.prodname_ghe_server %} is not connected to the internet, and you want to allow users to enable {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for their repositories, you must use the {% data variables.product.prodname_codeql %} action sync tool to copy the {% data variables.product.prodname_codeql %} analysis bundle from {% data variables.product.prodname_dotcom_the_website %} to your server. The tool, and details of how to use it, are available at https://github.com/github/codeql-action-sync-tool.
If you configure the {% data variables.product.prodname_codeql %} action sync tool, you can use it to sync the latest releases of the {% data variables.product.prodname_codeql %} action and associated {% data variables.product.prodname_codeql %} analysis bundle. These are compatible with {% data variables.product.prodname_ghe_server %}.
Configuring {% data variables.product.prodname_github_connect %} to sync {% data variables.product.prodname_actions %}
- If you want to download action workflows on demand from {% data variables.product.prodname_dotcom_the_website %}, you need to enable {% data variables.product.prodname_github_connect %}. See AUTOTITLE.
- You'll also need to enable {% data variables.product.prodname_actions %}. See AUTOTITLE.
- The next step is to configure access to actions on {% data variables.product.prodname_dotcom_the_website %} using {% data variables.product.prodname_github_connect %}. See AUTOTITLE.
- Add a self-hosted runner to your repository, organization, or enterprise account. See AUTOTITLE.
Running code scanning using the {% data variables.product.prodname_codeql_cli %}
If you don't want to use {% data variables.product.prodname_actions %}, you should run {% data variables.product.prodname_code_scanning %} using the {% data variables.product.prodname_codeql_cli %}.
The {% data variables.product.prodname_codeql_cli %} is a command-line tool that you use to analyze codebases on any machine, including a third-party CI/CD system. See AUTOTITLE. {% endif %}