Automatically scanning your code for vulnerabilities and errors

You can find vulnerabilities and errors in your project's code on GitHub, as well as view, triage, understand, and resolve the related code scanning alerts.

Code scanning is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see "About GitHub Advanced Security."

About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub.

Triaging code scanning alerts in pull requests

When code scanning identifies a problem in a pull request, you can review the highlighted code and resolve the alert.

Setting up code scanning for a repository

You can set up code scanning by adding a workflow to your repository.

Managing code scanning alerts for your repository

From the security view, you can view, fix, dismiss, or delete alerts for potential vulnerabilities or errors in your project's code.

Tracking code scanning alerts in issues using task lists

You can add code scanning alerts to issues using task lists. This makes it easy to create a plan for development work that includes fixing alerts.

Configuring code scanning

You can configure how GitHub scans the code in your project for vulnerabilities and errors.

About code scanning with CodeQL

You can use CodeQL to identify vulnerabilities and errors in your code. The results are shown as code scanning alerts in GitHub.

Recommended hardware resources for running CodeQL

Recommended specifications (RAM, CPU cores, and disk) for running CodeQL analysis on self-hosted machines, based on the size of your codebase.

Configuring the CodeQL workflow for compiled languages

You can configure how GitHub uses the CodeQL analysis workflow to scan code written in compiled languages for vulnerabilities and errors.

Troubleshooting the CodeQL workflow

If you're having problems with code scanning, you can troubleshoot by using these tips for resolving issues.

Running CodeQL code scanning in a container

You can run code scanning in a container by ensuring that all processes run in the same container.

Viewing code scanning logs

You can view the output generated during code scanning analysis in GitHub.com.

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.

Still need help?

Ask the GitHub community

Contact support

Dec	JAN	Feb
	24
2021	2022	2023