8f1ec27a38
Co-authored-by: Sarah Schneider <sarahs@github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com>
59 lines
4.6 KiB
Markdown
59 lines
4.6 KiB
Markdown
---
|
|
title: About code scanning
|
|
intro: 'You can use {% data variables.product.prodname_code_scanning %} to find security vulnerabilities and errors in the code for your project on {% data variables.product.prodname_dotcom %}.'
|
|
product: '{% data reusables.gated-features.code-scanning %}'
|
|
redirect_from:
|
|
- /github/managing-security-vulnerabilities/about-automated-code-scanning
|
|
- /github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
|
|
- /code-security/secure-coding/about-code-scanning
|
|
- /code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
|
|
versions:
|
|
fpt: '*'
|
|
ghes: '*'
|
|
ghae: '*'
|
|
ghec: '*'
|
|
type: overview
|
|
topics:
|
|
- Advanced Security
|
|
- Code scanning
|
|
---
|
|
|
|
|
|
{% data reusables.code-scanning.beta %}
|
|
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
|
|
|
## About {% data variables.product.prodname_code_scanning %}
|
|
|
|
{% data reusables.code-scanning.about-code-scanning %}
|
|
|
|
You can use {% data variables.product.prodname_code_scanning %} to find, triage, and prioritize fixes for existing problems in your code. {% data variables.product.prodname_code_scanning_capc %} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
|
|
|
|
If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
|
|
|
|
To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see
|
|
"[Webhook events and payloads](/developers/webhooks-and-events/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see "[{% data variables.product.prodname_code_scanning_capc %}](/rest/reference/code-scanning)."
|
|
|
|
To get started with {% data variables.product.prodname_code_scanning %}, see "[Configuring {% data variables.product.prodname_code_scanning %} for a repository](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository)."
|
|
|
|
{% ifversion fpt or ghec %}
|
|
|
|
## About billing for {% data variables.product.prodname_code_scanning %}
|
|
|
|
{% data variables.product.prodname_code_scanning_capc %} uses {% data variables.product.prodname_actions %}, and each run of a {% data variables.product.prodname_code_scanning %} workflow consumes minutes for {% data variables.product.prodname_actions %}. For more information, see "[About billing for {% data variables.product.prodname_actions %}](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."
|
|
|
|
{% endif %}
|
|
|
|
## About tools for {% data variables.product.prodname_code_scanning %}
|
|
|
|
You can configure {% data variables.product.prodname_code_scanning %} to use the {% data variables.product.prodname_codeql %} product maintained by {% data variables.product.company_short%} or a third-party {% data variables.product.prodname_code_scanning %} tool.
|
|
|
|
### About {% data variables.product.prodname_codeql %} analysis
|
|
|
|
{% data reusables.code-scanning.about-codeql-analysis %} For more information about {% data variables.product.prodname_codeql %}, see "[About code scanning with CodeQL](/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)."
|
|
|
|
### About third-party {% data variables.product.prodname_code_scanning %} tools
|
|
|
|
{% data reusables.code-scanning.interoperable-with-tools-that-output-sarif %}
|
|
|
|
You can run third-party analysis tools within {% data variables.product.product_name %} using actions or within an external CI system. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %} for a repository](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository)" or "[Uploading a SARIF file to {% data variables.product.prodname_dotcom %}](/code-security/secure-coding/uploading-a-sarif-file-to-github)."
|