| title | About code scanning | |||||||
|---|---|---|---|---|---|---|---|---|
| shortTitle | Introduction | |||||||
| intro | You can use {% data variables.product.prodname_code_scanning %} to find security vulnerabilities and errors in the code for your project on {% data variables.product.prodname_dotcom %}. | |||||||
| product | {% data reusables.gated-features.code-scanning %} | |||||||
| redirect_from |
|
|||||||
| versions |
|
|||||||
| contentType | concepts | |||||||
| category |
|
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
{% data reusables.code-scanning.about-code-scanning %}
You can use {% data variables.product.prodname_code_scanning %} to find, triage, and prioritize fixes for existing problems in your code. {% data variables.product.prodname_code_scanning_caps %} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see AUTOTITLE.
{% ifversion code-scanning-autofix %}
{% data variables.copilot.copilot_autofix %} will suggest fixes for alerts from {% data variables.product.prodname_code_scanning %} analysis, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see AUTOTITLE.
{% endif %}
To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see AUTOTITLE. For information about API endpoints, see AUTOTITLE.
{% ifversion fpt or ghec %}
{% data variables.product.prodname_code_scanning_caps %} uses {% data variables.product.prodname_actions %}, with each workflow run consuming {% data variables.product.prodname_actions %} minutes. If you want to use {% data variables.product.prodname_code_scanning %} on private repositories, you need a {% data variables.product.prodname_GH_code_security %} license. For more information, see AUTOTITLE. {% data reusables.advanced-security.ghas-trial %}
If you want to assess your organization's exposure to vulnerabilities before purchasing a license, you can run a free {% data variables.product.prodname_code_security_risk_assessment %}. See AUTOTITLE.
{% endif %}
To get started with {% data variables.product.prodname_code_scanning %}, see AUTOTITLE.
You can configure {% data variables.product.prodname_code_scanning %} to use the {% data variables.product.prodname_codeql %} product maintained by {% data variables.product.company_short %} or a third-party {% data variables.product.prodname_code_scanning %} tool.
{% data reusables.code-scanning.about-codeql-analysis %} For more information about {% data variables.product.prodname_codeql %}, see AUTOTITLE.
{% data reusables.code-scanning.interoperable-with-tools-that-output-sarif %}
You can run third-party analysis tools within {% data variables.product.github %} using actions or within an external CI system. For more information, see AUTOTITLE or AUTOTITLE.
The {% data variables.code-scanning.tool_status_page %} shows useful information about all of your code scanning tools. If code scanning is not working as you'd expect, the {% data variables.code-scanning.tool_status_page %} is a good starting point for debugging problems. For more information, see AUTOTITLE.