À propos de l’intégration à l’analyse du code

Vous pouvez effectuer une code scanning en externe, puis afficher les résultats dans GitHub, ou configurer des webhooks qui écoutent l’activité d’code scanning dans votre référentiel.

Qui peut utiliser cette fonctionnalité ?

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Team, GitHub Enterprise Cloud, or GitHub Enterprise Server, with GitHub Advanced Security enabled.

Dans cet article

About integration with code scanning

Remarque

Your site administrator must enable code scanning before you can use this feature. For more information, see Configuring code scanning for your appliance.

You may not be able to enable or disable code scanning if an enterprise owner has set a GitHub Advanced Security policy at the enterprise level. For more information, see Enforcing policies for code security and analysis for your enterprise.

As an alternative to running code scanning within GitHub, you can perform analysis elsewhere, using the CodeQL CLI or another static analysis tool, and then upload the results. For more information, see Using code scanning with your existing CI system.

If you run code scanning using multiple configurations, an alert will sometimes have multiple analysis origins. If an alert has multiple analysis origins, you can view the status of the alert for each analysis origin on the alert page. For more information, see About code scanning alerts.

Integrations with webhooks

You can use code scanning webhooks to build or configure integrations, such as GitHub Apps or OAuth apps, that subscribe to code scanning events in your repository. For example, you could build an integration that creates an issue on GitHub or sends you a Slack notification when a new code scanning alert is added in your repository. For more information, see Webhooks documentation and Webhook events and payloads.

Further reading