GitHub now allows developers to scan their code for the “default setup” repository, hopefully helping them to spot any security issues before they escalate.
GitHub’s code scanning is powered by its CodeQL engine, and while it supports a wide variety of compilers, so far the feature is only available for Python, JavaScript, and Ruby. That should change soon, said GitHub’s Walker Chabbott, as the company now seeks to expand the support to additional languages by summer.
Automatically scanning your code for vulnerabilities and errors
You can find vulnerabilities and errors in your project’s code on GitHub, as well as view, triage, understand, and resolve the related code scanning alerts.
Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see “About GitHub Advanced Security.”
- About code scanningYou can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.
- About code scanning alertsLearn about the different types of code scanning alerts and the information that helps you understand the problem each alert highlights.
- Triaging code scanning alerts in pull requestsWhen code scanning identifies a problem in a pull request, you can review the highlighted code and resolve the alert.
- Setting up code scanning for a repositoryYou can set up code scanning for a repository to find security vulnerabilities in your code.
- Managing code scanning alerts for your repositoryFrom the security view, you can view, fix, or dismiss alerts for potential vulnerabilities or errors in your project’s code.
- Tracking code scanning alerts in issues using task listsYou can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.
- Configuring code scanningYou can configure how GitHub scans the code in your project for vulnerabilities and errors.
- About code scanning with CodeQLYou can use CodeQL to identify vulnerabilities and errors in your code. The results are shown as code scanning alerts in GitHub.
- Recommended hardware resources for running CodeQLRecommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis on self-hosted machines, based on the size of your codebase.
- Configuring the CodeQL workflow for compiled languagesYou can configure how GitHub uses the CodeQL analysis workflow to scan code written in compiled languages for vulnerabilities and errors.
- Troubleshooting your default setup for CodeQLIf you’re having problems with the default code scanning setup, you can troubleshoot by using these tips for resolving issues.
- Troubleshooting your advanced setup for CodeQLIf you’re having problems with advanced setup for code scanning, you can troubleshoot by using these tips for resolving issues.
- Running CodeQL code scanning in a containerYou can run code scanning in a container by ensuring that all processes run in the same container.
- Viewing code scanning logsYou can view the output generated during code scanning analysis in GitHub.com.