84d8eeb49e
Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
116 lines
8.2 KiB
Markdown
116 lines
8.2 KiB
Markdown
---
|
|
title: Assessing code scanning alerts for your repository
|
|
shortTitle: Assess alerts
|
|
intro: 'From the security view, you can explore and evaluate alerts for potential vulnerabilities or errors in your project''s code.'
|
|
permissions: '{% data reusables.permissions.code-scanning-all-alerts %}'
|
|
versions:
|
|
fpt: '*'
|
|
ghes: '*'
|
|
ghec: '*'
|
|
type: how_to
|
|
topics:
|
|
- Code Security
|
|
- Code scanning
|
|
- Alerts
|
|
- Repositories
|
|
---
|
|
|
|
Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests).
|
|
|
|
## Viewing the alerts for a repository
|
|
|
|
You need write permission to view a summary of all the alerts for a repository on the **Security** tab.
|
|
|
|
By default, the {% data variables.product.prodname_code_scanning %} alerts page is filtered to show alerts for the default branch of the repository only.
|
|
|
|
{% data reusables.repositories.navigate-to-repo %}
|
|
{% data reusables.repositories.sidebar-security %}
|
|
{% data reusables.repositories.sidebar-code-scanning-alerts %}
|
|
1. Optionally, use the free text search box or the dropdown menus to filter alerts. For example, you can filter by the tool that was used to identify alerts.
|
|
|
|
|
|
|
|
{% data reusables.code-scanning.explore-alert %}
|
|
{% data reusables.code-scanning.alert-default-branch %}
|
|
1. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used.
|
|
|
|
|
|
|
|
1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
|
|
{% data reusables.security.alert-assignee-step %}
|
|
|
|
For more information, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts).
|
|
|
|
> [!NOTE]
|
|
> You can see information about when {% data variables.product.prodname_code_scanning %} analysis last ran on the tool status page. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page).
|
|
|
|
{% ifversion copilot-chat-ghas-alerts %}
|
|
|
|
## Asking {% data variables.copilot.copilot_chat %} about {% data variables.product.prodname_code_scanning %} alerts
|
|
|
|
With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} for help to better understand security alerts, including {% data variables.product.prodname_code_scanning %} alerts, in repositories in your organization. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).
|
|
|
|
{% endif %}
|
|
|
|
{% ifversion security-overview-org-codeql-pr-alerts %}
|
|
|
|
## Viewing metrics for {% data variables.product.prodname_codeql %} pull request alerts for an organization
|
|
|
|
For {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis, you can use security overview to see how {% data variables.product.prodname_codeql %} is performing in pull requests in repositories where you have write access across your organization, and to identify repositories where you may need to take action. For more information, see [AUTOTITLE](/code-security/security-overview/viewing-metrics-for-pull-request-alerts).
|
|
|
|
{% endif %}
|
|
|
|
## Filtering {% data variables.product.prodname_code_scanning %} alerts
|
|
|
|
You can filter the alerts shown in the {% data variables.product.prodname_code_scanning %} alerts view. This is useful if there are many alerts as you can focus on a particular type of alert. There are some predefined filters and a range of keywords that you can use to refine the list of alerts displayed.
|
|
|
|
When you select a keyword from either a drop-down list, or as you enter a keyword in the search field, only values with results are shown. This makes it easier to avoid setting filters that find no results.
|
|
|
|
|
|
|
|
If you enter multiple filters, the view will show alerts matching _all_ these filters. For example, `is:closed severity:high branch:main` will only display closed high-severity alerts that are present on the `main` branch. The exception is filters relating to refs (`ref`, `branch` and `pr`): `is:open branch:main branch:next` will show you open alerts from both the `main` branch and the `next` branch.
|
|
|
|
{% data reusables.code-scanning.filter-non-default-branches %}
|
|
|
|
You can prefix the `tag` filter with `-` to exclude results with that tag. For example, `-tag:style` only shows alerts that do not have the `style` tag.
|
|
|
|
### Restricting results to application code only
|
|
|
|
You can use the "Only alerts in application code" filter or `autofilter:true` keyword and value to restrict results to alerts in application code. For more information about the types of code that are automatically labeled as not application code, see [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#about-labels-for-alerts-that-are-not-found-in-application-code).
|
|
|
|
## Searching {% data variables.product.prodname_code_scanning %} alerts
|
|
|
|
You can search the list of alerts. This is useful if there is a large number of alerts in your repository, or if you don't know the exact name for an alert for example. {% data variables.product.github %} performs the free text search across:
|
|
* The name of the alert
|
|
* The alert details (this also includes the information hidden from view by default in the **Show more** collapsible section)
|
|
|
|
| Supported search | Syntax example | Results |
|
|
| ---- | ---- | ---- |
|
|
| Single word search | `injection` | Returns all the alerts containing the word `injection` |
|
|
| Multiple word search | `sql injection` | Returns all the alerts containing `sql` or `injection` |
|
|
| Exact match search</br>(use double quotes) | `"sql injection"` | Returns all the alerts containing the exact phrase `sql injection` |
|
|
| OR search | `sql OR injection` | Returns all the alerts containing `sql` or `injection` |
|
|
| AND search | `sql AND injection` | Returns all the alerts containing both words `sql` and `injection` |
|
|
|
|
> [!TIP]
|
|
> * The multiple word search is equivalent to an OR search.
|
|
> * The AND search will return results where the search terms are found _anywhere_, in any order in the alert name or details.
|
|
|
|
{% data reusables.repositories.navigate-to-repo %}
|
|
{% data reusables.repositories.sidebar-security %}
|
|
{% data reusables.repositories.sidebar-code-scanning-alerts %}
|
|
1. To the right of the **Filters** drop-down menus, type the keywords to search for in the free text search box.
|
|
|
|
1. Press <kbd>return</kbd>. The alert listing will contain the open {% data variables.product.prodname_code_scanning %} alerts matching your search criteria.
|
|
|
|
## Auditing responses to {% data variables.product.prodname_code_scanning %} alerts
|
|
|
|
{% data reusables.code-scanning.audit-code-scanning-events %}
|
|
|
|
## Further reading
|
|
|
|
* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/resolving-code-scanning-alerts)
|
|
* [AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)
|
|
* [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)
|
|
* [AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/about-integration-with-code-scanning)
|