Skip to main content
GitHub Docs
Search or ask Copilot
Select language: current language is English
Search or ask Copilot
Open menu
Open Sidebar
  • Security and code quality/
  • How-tos
Home

Security and code quality

    • GitHub security features
    • Dependabot quickstart
    • Secure repository quickstart
    • Add a security policy
    • Audit security alerts
    • GitHub secret types
    • Plan GHAS trial
    • Trial Advanced Security
    • Enable security features in trial
    • Trial Secret Protection
    • Trial Code Security
      • Quickstart
      • Enable Code Quality
      • Interpret results
      • Set PR thresholds
      • Unblock your PR
      • Allow in enterprise
      • Metrics and ratings
      • CodeQL analysis
        • C# queries
        • Go queries
        • Java queries
        • JavaScript queries
        • Python queries
        • Ruby queries
      • Fix findings in PRs
      • Improve your codebase
      • Improve recent merges
      • Code quality
      • About organization security
      • Choose security configuration
      • Apply recommended configuration
      • Create custom configuration
      • Apply custom configuration
      • Configure global settings
      • Give access to private registries
      • Interpret security data
      • Filter repositories
      • Edit custom configuration
      • Manage paid GHAS use
      • Detach security configuration
      • Find attachment failures
      • Delete custom configuration
      • Secret protection tools
      • Assess your secret risk
      • View risk report
      • Export risk report CSV
      • Risk report CSV contents
      • Protect your secrets
      • Push protection cost savings
      • Secret protection pricing
      • Organize leak remediation
      • Prioritize Dependabot alerts using metrics
      • About security campaigns
      • Create security campaigns
      • Track security campaigns
      • Active advanced setup
      • Unexpected default setup
      • Not enough GHAS licenses
      • Secret scanning
      • Push protection
      • Secret scanning for partners
      • Supported patterns
      • Enable secret scanning
      • Enable push protection
      • Enable validity checks
      • Enable metadata checks
      • About alerts
      • View alerts
      • Evaluate alerts
      • Resolve alerts
      • Monitor alerts
      • Remediate a leaked secret
      • Push protection for users
      • Push protection on the command line
      • Push protection from the REST API
      • Push protection in the GitHub UI
      • Push protection and the GitHub MCP server
      • Exclude folders and files
        • Enable for non-provider patterns
        • Define custom patterns
        • Manage custom patterns
        • Custom pattern metrics
        • About delegated bypass
        • Enable delegated bypass
        • Manage bypass requests
      • Delegated alert dismissal
      • Generic secret detection
      • Enable generic secret detection
      • Generate regular expressions with AI
      • Regular expression generator
      • Troubleshoot secret scanning
      • Partner program
      • Configure code scanning
      • Code scanning at scale
      • Configure advanced setup
      • Customize advanced setup
      • CodeQL for compiled languages
      • CodeQL advanced setup at scale
      • Hardware resources for CodeQL
      • Code scanning in a container
      • Copilot Autofix for code scanning
      • Disable Copilot Autofix
      • Assess alerts
      • Resolve alerts
      • Best practices for campaigns
      • Fix alerts in campaign
      • Triage alerts in pull requests
      • Code scanning tool status
      • Edit default setup
      • Set merge protection
      • Enable delegated alert dismissal
      • Configure larger runners
      • View code scanning logs
      • Using code scanning with your existing CI system
      • Upload a SARIF file
      • SARIF support
      • Code Security must be enabled
      • Alerts in generated code
      • Analysis takes too long
      • Automatic build failed
      • C# compiler failing
      • Cannot enable CodeQL in a private repository
      • Enabling default setup takes too long
      • Extraction errors in the database
      • Fewer lines scanned than expected
      • Logs not detailed enough
      • No source code seen during build
      • Not recognized
      • Out of disk or memory
      • Resource not accessible
      • Results different than expected
      • Server error
      • Some languages not analyzed
      • Two CodeQL workflows
      • Unclear what triggered a workflow
      • Unnecessary step found
      • Kotlin detected in no build
      • GitHub Code Security disabled
      • Default setup is enabled
      • GitHub token missing
      • SARIF file invalid
      • Results file too large
      • Results exceed limits
        • About built-in queries
        • Actions queries
        • C and C++ queries
        • C# queries
        • Go queries
        • Java and Kotlin queries
        • JavaScript and TypeScript queries
        • Python queries
        • Ruby queries
        • Rust queries
        • Swift queries
      • Setting up the CodeQL CLI
      • Preparing code for analysis
      • Analyzing code
      • Uploading results to GitHub
      • Customizing analysis
      • Advanced setup of the CodeQL CLI
      • Using custom queries with the CodeQL CLI
      • Creating CodeQL query suites
      • Testing custom queries
      • Testing query help files
      • Creating and working with CodeQL packs
      • Publishing and using CodeQL packs
      • Specifying command options in a CodeQL configuration file
      • CodeQL CLI SARIF output
      • CodeQL CLI CSV output
      • Extractor options
      • Exit codes
      • Creating CodeQL CLI database bundles
      • bqrs decode
      • bqrs diff
      • bqrs hash
      • bqrs info
      • bqrs interpret
      • database add-diagnostic
      • database analyze
      • database bundle
      • database cleanup
      • database create
      • database export-diagnostics
      • database finalize
      • database import
      • database index-files
      • database init
      • database interpret-results
      • database print-baseline
      • database run-queries
      • database trace-command
      • database unbundle
      • database upgrade
      • dataset check
      • dataset cleanup
      • dataset import
      • dataset measure
      • dataset upgrade
      • diagnostic add
      • diagnostic export
      • execute cli-server
      • execute language-server
      • execute queries
      • execute query-server
      • execute query-server2
      • execute upgrades
      • generate extensible-predicate-metadata
      • generate log-summary
      • generate overlay-changes
      • generate query-help
      • github merge-results
      • github upload-results
      • pack add
      • pack bundle
      • pack ci
      • pack create
      • pack download
      • pack init
      • pack install
      • pack ls
      • pack packlist
      • pack publish
      • pack resolve-dependencies
      • pack upgrade
      • query compile
      • query decompile
      • query format
      • query run
      • resolve database
      • resolve extensions
      • resolve extensions-by-pack
      • resolve extractor
      • resolve files
      • resolve languages
      • resolve library-path
      • resolve metadata
      • resolve ml-models
      • resolve packs
      • resolve qlpacks
      • resolve qlref
      • resolve queries
      • resolve ram
      • resolve tests
      • resolve upgrades
      • test accept
      • test extract
      • test run
      • version
      • Extension installation
      • Manage CodeQL databases
      • Run CodeQL queries
      • Explore data flow
      • Queries at scale
      • CodeQL model editor
      • Custom query creation
      • Manage CodeQL packs
      • Explore code structure
      • Test CodeQL queries
      • Customize settings
      • CodeQL workspace setup
      • CodeQL CLI access
      • Telemetry
      • Access logs
      • Problem with controller repository
      • Browse Advisory Database
      • Edit Advisory Database
      • Permission levels
      • Configure for a repository
      • Configure for an organization
      • Create repository advisories
      • Edit repository advisories
      • Evaluate repository security
      • Temporary private forks
      • Publish repository advisories
      • Add collaborators
      • Remove collaborators
      • Delete repository advisories
      • Best practices
      • Privately reporting
      • Manage vulnerability reports
      • Dependency graph ecosystem support
      • Customize dependency review action
      • Enforce dependency review
      • Troubleshoot dependency graph
      • Overview
      • Securing accounts
      • Securing code
      • Securing builds
      • Dependabot ecosystem support
      • View Dependabot alerts
      • Enable delegated alert dismissal
      • Manage auto-dismissed alerts
      • Optimize PR creation
      • Customize Dependabot PRs
      • Use Dependabot with Actions
      • Multi-ecosystem updates
      • Dependabot options reference
      • Configure ARC
      • Configure VNET
      • Viewing Dependabot logs
      • Dependabot stopped working
      • Troubleshoot Dependabot on Actions
    • About security overview
    • View security insights
    • Assess adoption of features
    • Assess security risk of code
    • Filter security overview
    • Export data
    • View Dependabot metrics
    • View secret scanning metrics
    • View PR alert metrics
    • Review bypass requests
    • Review alert dismissal requests
      • Introduction
      • Code scanning alerts
      • Evaluate code scanning
      • Integration with code scanning
        • CodeQL code scanning
        • CodeQL query suites
        • CodeQL CLI
        • CodeQL for VS Code
        • CodeQL workspaces
        • Query reference files
    • GitHub Code Quality
      • Supply chain features
      • Dependency best practices
      • Dependency graph
      • Dependency review
      • Dependabot alerts
      • Dependabot security updates
      • Dependabot version updates
      • Dependabot auto-triage rules
      • Dependabot on Actions
      • Immutable releases
      • GitHub Advisory database
      • Repository security advisories
      • Global security advisories
      • Coordinated disclosure
      • Vulnerability exposure
        • Configure Dependabot alerts
        • Configure security updates
        • Configure version updates
        • Auto-update actions
        • Configure dependency graph
        • Explore dependencies
        • Submit dependencies automatically
        • Use dependency submission API
        • Verify release integrity
        • Auto-triage Dependabot alerts
        • Prioritize with preset rules
        • Customize Dependabot PRs
        • Control dependency update
        • Configure dependency review action
        • Optimize Java packages
        • Configure Dependabot notifications
        • Configure access to private registries
        • Remove access to public registries
        • Manage Dependabot PRs
        • Manage Dependabot on self-hosted runners
        • List configured dependencies
        • Configure private registries
        • Troubleshoot Dependabot errors
        • Troubleshoot vulnerability detection
        • Prevent release changes
        • Export dependencies as SBOM
  • Reference
      • Prevent data leaks
      • Fix alerts at scale
      • Prioritize alerts in production code
      • Interpret secret risk assessment
  • Responsible use
  • Security and code quality/
  • How-tos

How-tos for security and code quality

Learn how to use GitHub's security and code quality features.

  • Securing your supply chain
    • Securing your dependencies
    • Managing your dependency security
    • Troubleshooting dependency security
    • Establishing provenance and integrity for your projects

Help and support

Did you find what you needed?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Learn how to contribute

Still need help?

Ask the GitHub community
Contact support

Legal

  • © 2026 GitHub, Inc.
  • Terms
  • Privacy
  • Status
  • Pricing
  • Expert services
  • Blog