You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: In this unit, you'll learn about CodeQL, the two options for setting up code scanning, and how to add the CodeQL workflow to your repository.
description: In this unit, you'll learn the basics of code scanning configuration. You'll also learn how to configure the frequency of scans and schedule them to best fit your repository and development needs.
description: Knowledge check questions for configure code scanning module. # user input: a description for site search and SEO
8
-
ms.date: 04/11/2024
8
+
ms.date: 04/16/2025
9
9
author: rmcmurray
10
10
ms.author: robmcm
11
11
ms.topic: unit
@@ -54,10 +54,10 @@ quiz:
54
54
choices:
55
55
- content: "Scheduled events are more difficult to configure than triggered events."
56
56
isCorrect: false
57
-
explanation: "Incorrect. Scheduled events are not more difficult to configure than triggered events. Both can be configured easily. "
58
-
- content: "Scheduled events run based on a specified schedule and triggered events run on code events such a push. "
57
+
explanation: "Incorrect. Scheduled events aren't more difficult to configure than triggered events. Both can be configured easily. "
58
+
- content: "Scheduled events run based on a specified schedule and triggered events run on code events such as a push. "
59
59
isCorrect: true
60
-
explanation: "Correct. Scheduled events are specified by the developer and triggered events are set by default but can also be configured by the developer."
60
+
explanation: "Correct. The developer specifies scheduled events and triggered events are set by default but can also be developer configured."
61
61
- content: "Triggered events run less frequently than scheduled events."
62
62
isCorrect: false
63
63
explanation: "Incorrect. The frequency of both triggered events and scheduled events varies depending on how often pushes and pull requests occur, as well as how the developer may have configured the frequency."
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/includes/1-introduction.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
Imagine that you're the GitHub administrator for a project and you want to make sure that the code doesn't include any security vulnerabilities or errors. It can be very time consuming to manually check your code base, especially if it's large. Your company just purchased a GitHub Advanced Security license that helps save time and effort by allowing you to use code scanning. With code scanning, you receive alerts indicating any problematic code, then you can quickly find the problem areas and make the necessary changes. In order to enable code scanning, you need to know what tools are available and what their features are. You also need to understand how often to perform code scanning and the types of events you can use to trigger scans.
1
+
Imagine that you're the GitHub administrator for a project, and you want to make sure that the code doesn't include any security vulnerabilities or errors. It can be very time consuming to manually check your code base, especially if it's large. Your company just purchased a GitHub Advanced Security license that helps save time and effort by allowing you to use code scanning. With code scanning, you receive alerts indicating any problematic code. Then, you can quickly find the problem areas and make the necessary changes. In order to enable code scanning, you need to know what tools are available and what their features are. You also need to understand how often to perform code scanning and the types of events you can use to trigger scans.
2
2
3
3
This module introduces you to code scanning and its features. You'll learn how to implement code scanning using CodeQL, third-party tools, and GitHub Actions. You'll also learn about the different ways you can configure code scanning to optimize your experience.
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/includes/2-what-code-scanning.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ CodeQL is the code analysis engine GitHub developed to automate security checks.
14
14
15
15
CodeQL treats code like data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. You generate a CodeQL database to represent your codebase, then run CodeQL queries on that database to identify problems in the codebase. The query results are shown as code scanning alerts in GitHub when you use CodeQL with code scanning.
16
16
17
-
CodeQL supports both compiled and interpreted languages, and can find vulnerabilities and errors in code written in the following supported languages:
17
+
CodeQL supports both compiled and interpreted languages, and it can find vulnerabilities and errors in code written in the following supported languages:
18
18
19
19
- C or C++
20
20
- C#
@@ -40,7 +40,7 @@ Follow these steps to set up code scanning using the CodeQL GitHub Actions workf
40
40
:::image type="content" source="../media/2-security-tab-screenshot.png" alt-text="Screenshot of the security tab.":::
41
41
42
42
3. Select **Set up code scanning**. If this option isn't available, ask an organization owner or repository administrator to enable GitHub Advanced Security.
43
-
43
+
44
44
:::image type="content" source="../media/3-set-up-code-scanning-button-screenshot.png" alt-text="Screenshot of the set up code scanning button.":::
45
45
46
46
4. In the **Set up** drop-down, select **Default**.
@@ -59,4 +59,4 @@ Running code scanning with GitHub Actions affects your monthly billing minutes.
59
59
60
60
## About Billing for Actions
61
61
62
-
Code scanning uses GitHub Actions, and each run of a code-scanning workflow consumes minutes for GitHub Actions. GitHub Actions usage is free for both public repositories and self-hosted runners. For private repositories, each GitHub account receives a certain number of free minutes and storage, depending on the product used with the account. Any usage beyond the included amounts is controlled by spending limits. If you're a monthly billed customer, your account has a default spending limit of 0 US dollars (USD), which prevents extra usage of minutes or storage for private repositories beyond the amounts included with your account. If you pay your account by invoice, your account will have an unlimited default spending limit. Minutes reset every month, while storage usage doesn't.
62
+
Code scanning uses GitHub Actions, and each run of a code-scanning workflow consumes minutes for GitHub Actions. GitHub Actions usage is free for both public repositories and self-hosted runners. For private repositories, each GitHub account receives a certain number of free minutes and storage, depending on the product used with the account. Spending limits control any usage beyond the included amounts. If you're a monthly billed customer, your account has a default spending limit of zero US dollars (USD), which prevents extra usage of minutes or storage for private repositories beyond the amounts included with your account. If you pay your account by invoice, your account will have an unlimited default spending limit. Minutes reset every month, while storage usage doesn't.
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/includes/3-enable-code-scanning-with-third-party-tools.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ The code-scanning API lets you retrieve information on code scanning alerts, ana
14
14
15
15
You can access the GitHub API over HTTPS from `https://api.github.com`. All data is sent and received as JSON. The API uses custom media types to let consumers choose the format of the data they wish to receive. Media types are specific to resources, allowing them to change independently and support formats that other resources don't.
16
16
17
-
There is one supported custom media type for the code scanning REST API, `application/sarif+json`.
17
+
There's one supported custom media type for the code scanning REST API, `application/sarif+json`.
18
18
19
19
You can use this media type with GET requests sent to the `/analyses/{analysis_id}` endpoint. When you use this media type with this operation, the response includes a subset of the actual data that was uploaded for the specified analysis, rather than the summary of the analysis that's returned when you use the default media type. The response also includes additional data such as the `github/alertNumber` and `github/alertUrl` properties. The data is formatted as SARIF version 2.1.0.
Review the [GitHub REST API docs](https://docs.github.com/rest/reference/code-scanning) for more information about the using the code scanning API.
31
+
Review the [GitHub REST API docs](https://docs.github.com/rest/code-scanning/code-scanning) for more information about the using the code scanning API.
32
32
33
33
#### CodeQL CLI
34
34
35
-
The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.com. The CodeQL CLI is free to use on public repositories that are maintained on GitHub.com, and available to use on private repositories that are owned by customers with an Advanced Security license. Download the CodeQL bundle from https://github.com/github/codeql-action/releases.
35
+
The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or you can run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.com. The CodeQL CLI is free to use on public repositories maintained on GitHub.com, and it's available to use on customer owned private repositories with an Advanced Security license. Download the CodeQL bundle from https://github.com/github/codeql-action/releases.
36
36
37
37
The bundle contains:
38
38
@@ -92,7 +92,7 @@ Each time the results of a new code scan are uploaded, the results are processed
92
92
93
93
If your SARIF file doesn't include `partialFingerprints`, the `upload-sarif` action will calculate the `partialFingerprints` field for you and attempt to prevent duplicate alerts. GitHub can only create `partialFingerprints` when the repository contains both the SARIF file and the source code used in the static analysis.
94
94
95
-
SARIF upload supports a maximum of 5000 results per upload. Any results over this limit are ignored. If a tool generates too many results, you should update the configuration to focus on results for the most important rules or queries.
95
+
SARIF upload supports a maximum of 5,000 results per upload. Any results over this limit are ignored. If a tool generates too many results, you should update the configuration to focus on results for the most important rules or queries.
96
96
97
97
For each upload, SARIF upload supports a maximum size of 10 MB for the gzip-compressed SARIF file. Any uploads over this limit will be rejected. If your SARIF file is too large because it contains too many results, you should update the configuration to focus on results for the most important rules or queries.
0 commit comments