Skip to content

Latest commit

 

History

History
135 lines (90 loc) · 11.7 KB

configuring-advanced-setup-for-code-scanning.md

File metadata and controls

135 lines (90 loc) · 11.7 KB
title shortTitle intro permissions product redirect_from versions type topics allowTitleToDifferFromFilename
Configuring advanced setup for code scanning
Configure advanced setup
You can configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable {% data variables.product.prodname_code_scanning %} configuration.
{% data reusables.permissions.security-repo-enable %}
{% data reusables.gated-features.code-scanning %}
/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-advanced-setup-for-code-scanning
fpt ghes ghec
*
*
*
how_to
Advanced Security
Code scanning
Actions
Repositories
true

{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}

About advanced setup for {% data variables.product.prodname_code_scanning %}

Advanced setup for {% data variables.product.prodname_code_scanning %} is helpful when you need to customize your {% data variables.product.prodname_code_scanning %}. By creating and editing a workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use. For more information about {% data variables.product.prodname_actions %} workflows, see "AUTOTITLE."

{% ifversion fpt or ghec %} You can also configure {% data variables.product.prodname_code_scanning %} with third-party tools. For more information, see "Configuring {% data variables.product.prodname_code_scanning %} using third-party actions."

{% else %} Your site administrator can also make third-party actions available to users for {% data variables.product.prodname_code_scanning %}, by setting up {% data variables.product.prodname_github_connect %}. For more information, see "AUTOTITLE." {% endif %}

{% data reusables.code-scanning.about-multiple-configurations-link %} {% data reusables.code-scanning.codeql-action-version-ghes %}

If you do not need a highly customizable {% data variables.product.prodname_code_scanning %} configuration, consider using default setup for {% data variables.product.prodname_code_scanning %}. For more information on eligibility for default setup, see "AUTOTITLE."

Prerequisites

Your repository is eligible for advanced setup if it meets these requirements.

  • It uses {% data variables.product.prodname_codeql %}-supported languages or you plan to generate code scanning results with a third-party tool.
  • {% data variables.product.prodname_actions %} are enabled.{% ifversion fpt %}
  • It is publicly visible.{%- elsif ghec %}
  • It is publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes %}
  • {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}

{% ifversion ghes %} If the server on which you are running {% data variables.product.prodname_ghe_server %} is not connected to the internet, your site administrator can enable {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} by making the {% data variables.product.prodname_codeql %} analysis bundle available on the server. For more information, see "AUTOTITLE." {% endif %}

Configuring advanced setup for {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}

You can customize your {% data variables.product.prodname_codeql %} analysis by creating and editing a workflow file. Selecting advanced setup generates a basic workflow file for you to customize using standard workflow syntax and specifying options for the {% data variables.product.prodname_codeql %} action. See "AUTOTITLE" and "AUTOTITLE."

{% data reusables.code-scanning.billing %}

{% ifversion fpt %}

Note

You can configure {% data variables.product.prodname_code_scanning %} for any public repository where you have write access.

{% endif %}

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.user-settings.security-analysis %}

  1. Scroll down to the "{% data variables.product.prodname_code_scanning_caps %}" section, select Set up {% octicon "triangle-down" aria-hidden="true" %}, then click Advanced.

    [!NOTE] If you are switching from default setup to advanced setup, in the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "workflow" aria-hidden="true" %} Switch to advanced. In the pop-up window that appears, click Disable {% data variables.product.prodname_codeql %}.

    Screenshot of the "{% data variables.product.prodname_code_scanning_caps %}" section of "Code security" settings. The "Advanced setup" button is highlighted with an orange outline.

  2. To customize how {% data variables.product.prodname_code_scanning %} scans your code, edit the workflow.

    Generally, you can commit the {% data variables.code-scanning.codeql_workflow %} without making any changes to it. However, many of the third-party workflows require additional configuration, so read the comments in the workflow before committing.

    For more information, see "AUTOTITLE" and "AUTOTITLE."

  3. Click Commit changes... to display the commit changes form.

    Screenshot of the form to create a new file. To the right of the file name, a green button, labeled "Commit changes...", is outlined in dark orange.

  4. In the commit message field, type a commit message.

  5. Choose whether you'd like to commit directly to the default branch, or create a new branch and start a pull request.

  6. Click Commit new file to commit the workflow file to the default branch or click Propose new file to commit the file to a new branch.

  7. If you created a new branch, click Create pull request and open a pull request to merge your change into the default branch.

In the suggested {% data variables.code-scanning.codeql_workflow %}, {% data variables.product.prodname_code_scanning %} is configured to analyze your code each time you either push a change to the default branch or any protected branches, or raise a pull request against the default branch. As a result, {% data variables.product.prodname_code_scanning %} will now commence.

The on:pull_request and on:push triggers for code scanning are each useful for different purposes. See "AUTOTITLE" and "AUTOTITLE."

For information on bulk enablement, see "AUTOTITLE."

{% ifversion fpt or ghec %}

Configuring {% data variables.product.prodname_code_scanning %} using third-party actions

{% data variables.product.product_name %} includes workflow templates for third-party actions, as well as the {% data variables.product.prodname_codeql %} action. Using a workflow template is much easier than writing a workflow unaided.

{% data reusables.code-scanning.billing %}

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.actions-tab %}

  1. If the repository has already at least one workflow configured and running, click New workflow to display workflow templates. If there are currently no workflows configured for the repository, go to the next step.

    Screenshot of the Actions tab for a repository. The "New workflow" button is outlined in dark orange.

  2. In the "Choose a workflow" or "Get started with {% data variables.product.prodname_actions %}" view, scroll down to the "Security" category and click Configure under the workflow you want to configure. You may need to click View all to find the security workflow you want to configure.

    Screenshot of the Security category of workflow templates. The Configure button and "View all" link are highlighted with an orange outline.

  3. Follow any instructions in the workflow to customize it to your needs. For more general assistance about workflows, click Documentation on the right pane of the workflow page.

    Screenshot showing a workflow template file open for editing. The "Documentation" button is highlighted with an orange outline.

    For more information, see "AUTOTITLE" and "AUTOTITLE."

{% endif %}

Next steps

After your workflow runs successfully at least once, you are ready to start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "AUTOTITLE" and "AUTOTITLE."

Learn how {% data variables.product.prodname_code_scanning %} runs behave as checks on pull requests, see "AUTOTITLE."

You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "AUTOTITLE."

Further reading