14d80f1991
* new article scaffolding * Add scaffolding * Migrate content for overview article * Add placeholder notes and migrate over some more content * First draft of updates to existing docs * Add H2 headers to the article * Draft of phase 0 content * Update phase 0 with more drafting * Fix subheaders and table formatting * Add unedited and slightly tweaked source material * Current draft of reworked content * Refactor everything * Add best practices and some partnership details * Touch-ups * Touch up intro and create a phased approaches reusable * Fix the intro * Move reusable * Add image for GHES versions * Fix links * Add HTML note around links that need to be versioned for GHEC once the GHEC version releases * Fix reusable * Tidy up session * Versioning around the links * migrate this content to another PR for easier reviewing * Add HTML note about versioning for GHEC * Revamp intro * Add product variables * Less is more in the intro * Fix the beginning * Copy-edits for first half * Add Markdown-friendly bullet points * unclear shift direction * Distinguish the rollout team roles * More active language & cut the note * Maybe too wordy * Edit facts section * Update the article path to fix tests * Add product variables for professional services * Another revision * More tidying * Fix spacing * Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com> * Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com> * Apply @felicitymay's input * Apply suggestions from code review Co-authored-by: Rachael Sewell <rachmari@github.com> * Fix link test by adding HTML note around GHEC only article for now * Apply @felicitymay's stellar input 🌠 Co-authored-by: Felicity Chapman <felicitymay@github.com> * Apply suggestions from code review * Apply suggestions from code review * GitHub Advanced Security "Deploying" guide (#22114) * Add draft content * Add gated features reusable * Revise draft * Revamp steps of phase 0 * Replace goals section with intro text * More revising * Standardize headers with sentence case & remove overview subheader * Phase 0 streamlined * Fix intro and GHAS Guidebook reference * Fix reusable * Phase 1 💖 * Phase 2 tightened * Standardize on subheaders * Update phase 3 * Add product variable * Fix some links to fix the tests * Apply @felicitymay's stellar input 🌠 Co-authored-by: Felicity Chapman <felicitymay@github.com> * Apply Felicity's input * Use more GHAS to ease the reading load * Update resusable * Replacing "organization" * Add dependency review verisoning Co-authored-by: “jmarlena” <“jmarlena@github.com”> Co-authored-by: Felicity Chapman <felicitymay@github.com> * Remove draft notes for appendix links * Fix subheader * Deploying before enabling GHAS * Replace organization * Fix variables * Add GHEC & GHES versioning * not sure why this space is a commit * Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com> * Remove ghec versioning we don't need * Add repo reference * Remove versioning note ftw * Apply suggestions from code review Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com> * Markdown, I love you Co-authored-by: Megan Christudas <meganchristudas@Megans-MBP.fios-router.home> Co-authored-by: jmarlena <jmarlena@github.com> Co-authored-by: “jmarlena” <“jmarlena@github.com”> Co-authored-by: jmarlena <6732600+jmarlena@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
104 lines
5.9 KiB
Markdown
104 lines
5.9 KiB
Markdown
---
|
|
title: About CodeQL code scanning in your CI system
|
|
shortTitle: Code scanning in your CI
|
|
intro: 'You can analyze your code with {% data variables.product.prodname_codeql %} in a third-party continuous integration system and upload the results to {% data variables.product.product_location %}. The resulting {% data variables.product.prodname_code_scanning %} alerts are shown alongside any alerts generated within {% data variables.product.product_name %}.'
|
|
product: '{% data reusables.gated-features.code-scanning %}'
|
|
versions:
|
|
fpt: '*'
|
|
ghes: '>=3.0'
|
|
ghae: '*'
|
|
ghec: '*'
|
|
topics:
|
|
- Advanced Security
|
|
- Code scanning
|
|
- CodeQL
|
|
- Repositories
|
|
- Pull requests
|
|
- Integration
|
|
- CI
|
|
- SARIF
|
|
redirect_from:
|
|
- /code-security/secure-coding/about-codeql-code-scanning-in-your-ci-system
|
|
- /code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/about-codeql-code-scanning-in-your-ci-system
|
|
---
|
|
<!--UI-LINK: When GitHub Enterprise Server 3.1+ doesn't have GitHub Actions set up, the Security > Code scanning alerts view links to this article.-->
|
|
|
|
{% data reusables.code-scanning.beta %}
|
|
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
|
|
|
|
## About {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system
|
|
|
|
{% data reusables.code-scanning.about-code-scanning %} For information, see "[About {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}](/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)."
|
|
|
|
{% data reusables.code-scanning.codeql-context-for-actions-and-third-party-tools %}
|
|
|
|
{% ifversion fpt or ghes > 3.1 or ghae-next or ghec %}
|
|
<!--Content for GitHub.com, GHAE next, and GHES 3.2 and onward. CodeQL CLI is the preferred method, and CodeQL runner is deprecated. -->
|
|
|
|
{% data reusables.code-scanning.codeql-cli-context-for-third-party-tools %}
|
|
|
|
{% data reusables.code-scanning.upload-sarif-ghas %}
|
|
|
|
## About the {% data variables.product.prodname_codeql_cli %}
|
|
|
|
{% data reusables.code-scanning.what-is-codeql-cli %}
|
|
|
|
Use the {% data variables.product.prodname_codeql_cli %} to analyze:
|
|
|
|
- Dynamic languages, for example, JavaScript and Python.
|
|
- Compiled languages, for example, C/C++, C# and Java.
|
|
- Codebases written in a mixture of languages.
|
|
|
|
For more information, see "[Installing {% data variables.product.prodname_codeql_cli %} in your CI system](/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system)."
|
|
|
|
{% data reusables.code-scanning.licensing-note %}
|
|
|
|
{% ifversion ghes = 3.2 %}
|
|
<!-- Content for GHES 3.2 only. CodeQL CLI 2.6.2, which introduces full feature parity between CodeQL CLI and CodeQL runner, is officially recommended for GHES 3.3+, so some people may need to use the CodeQL runner -->
|
|
|
|
{% data reusables.code-scanning.use-codeql-runner-not-cli %}
|
|
|
|
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
|
|
|
{% endif %}
|
|
|
|
{% endif %}
|
|
|
|
<!--Content for GHES 3.1 only. Both CodeQL CLI and CodeQL runner are available -->
|
|
{% ifversion ghes = 3.1 %}
|
|
You add the {% data variables.product.prodname_codeql_cli %} or the {% data variables.product.prodname_codeql_runner %} to your third-party system, then call the tool to analyze code and upload the SARIF results to {% data variables.product.product_name %}. The resulting {% data variables.product.prodname_code_scanning %} alerts are shown alongside any alerts generated within {% data variables.product.product_name %}.
|
|
|
|
{% data reusables.code-scanning.upload-sarif-ghas %}
|
|
|
|
## Comparing {% data variables.product.prodname_codeql_cli %} and {% data variables.product.prodname_codeql_runner %}
|
|
|
|
{% data reusables.code-scanning.what-is-codeql-cli %}
|
|
|
|
The {% data variables.product.prodname_codeql_runner %} is a command-line tool that uses the {% data variables.product.prodname_codeql_cli %} to analyze code and upload the results to {% data variables.product.product_name %}. The tool mimics the analysis run natively within {% data variables.product.product_name %} using actions. The runner is able to integrate with more complex build environments than the CLI, but this ability makes it more difficult and error-prone to set up. It is also more difficult to debug any problems. Generally, it is better to use the {% data variables.product.prodname_codeql_cli %} directly unless it doesn't support your use case.
|
|
|
|
Use the {% data variables.product.prodname_codeql_cli %} to analyze:
|
|
|
|
- Dynamic languages, for example, JavaScript and Python.
|
|
- Codebases with a compiled language that can be built with a single command or by running a single script.
|
|
|
|
For more information, see "[Installing {% data variables.product.prodname_codeql_cli %} in your CI system](/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system)."
|
|
|
|
{% data reusables.code-scanning.use-codeql-runner-not-cli %}
|
|
|
|
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
|
|
|
For more information, see "[Running {% data variables.product.prodname_codeql_runner %} in your CI system](/code-security/secure-coding/running-codeql-runner-in-your-ci-system)."
|
|
|
|
{% endif %}
|
|
|
|
<!--Content for GHES 3.0 only. Only CodeQL runner is available -->
|
|
{% ifversion ghes = 3.0 %}
|
|
{% data reusables.code-scanning.upload-sarif-ghas %}
|
|
|
|
You add the {% data variables.product.prodname_codeql_runner %} to your third-party system, then call the tool to analyze code and upload the SARIF results to {% data variables.product.product_name %}. The resulting {% data variables.product.prodname_code_scanning %} alerts are shown alongside any alerts generated within {% data variables.product.product_name %}.
|
|
|
|
{% data reusables.code-scanning.deprecation-codeql-runner %}
|
|
|
|
To set up code scanning in your CI system, see "[Running {% data variables.product.prodname_codeql_runner %} in your CI system](/code-security/secure-coding/running-codeql-runner-in-your-ci-system)."
|
|
{% endif %}
|