You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/6-knowledge-check.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -55,7 +55,7 @@ quiz:
55
55
- content: "Scheduled events are more difficult to configure than triggered events."
56
56
isCorrect: false
57
57
explanation: "Incorrect. Scheduled events are not more difficult to configure than triggered events. Both can be configured easily. "
58
-
- content: "Scheduled events run based on a specified schedule and triggered events run on code events such a push. "
58
+
- content: "Scheduled events run based on a specified schedule and triggered events run on code events such as a push. "
59
59
isCorrect: true
60
60
explanation: "Correct. Scheduled events are specified by the developer and triggered events are set by default but can also be configured by the developer."
61
61
- content: "Triggered events run less frequently than scheduled events."
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/includes/1-introduction.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
Imagine that you're the GitHub administrator for a project and you want to make sure that the code doesn't include any security vulnerabilities or errors. It can be very time consuming to manually check your code base, especially if it's large. Your company just purchased a GitHub Advanced Security license that helps save time and effort by allowing you to use code scanning. With code scanning, you receive alerts indicating any problematic code, then you can quickly find the problem areas and make the necessary changes. In order to enable code scanning, you need to know what tools are available and what their features are. You also need to understand how often to perform code scanning and the types of events you can use to trigger scans.
1
+
Imagine that you're the GitHub administrator for a project, and you want to make sure that the code doesn't include any security vulnerabilities or errors. It can be very time consuming to manually check your code base, especially if it's large. Your company just purchased a GitHub Advanced Security license that helps save time and effort by allowing you to use code scanning. With code scanning, you receive alerts indicating any problematic code. Then, you can quickly find the problem areas and make the necessary changes. In order to enable code scanning, you need to know what tools are available and what their features are. You also need to understand how often to perform code scanning and the types of events you can use to trigger scans.
2
2
3
3
This module introduces you to code scanning and its features. You'll learn how to implement code scanning using CodeQL, third-party tools, and GitHub Actions. You'll also learn about the different ways you can configure code scanning to optimize your experience.
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/includes/2-what-code-scanning.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ CodeQL is the code analysis engine GitHub developed to automate security checks.
14
14
15
15
CodeQL treats code like data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers. You generate a CodeQL database to represent your codebase, then run CodeQL queries on that database to identify problems in the codebase. The query results are shown as code scanning alerts in GitHub when you use CodeQL with code scanning.
16
16
17
-
CodeQL supports both compiled and interpreted languages, and can find vulnerabilities and errors in code written in the following supported languages:
17
+
CodeQL supports both compiled and interpreted languages, and it can find vulnerabilities and errors in code written in the following supported languages:
18
18
19
19
- C or C++
20
20
- C#
@@ -40,7 +40,7 @@ Follow these steps to set up code scanning using the CodeQL GitHub Actions workf
40
40
:::image type="content" source="../media/2-security-tab-screenshot.png" alt-text="Screenshot of the security tab.":::
41
41
42
42
3. Select **Set up code scanning**. If this option isn't available, ask an organization owner or repository administrator to enable GitHub Advanced Security.
43
-
43
+
44
44
:::image type="content" source="../media/3-set-up-code-scanning-button-screenshot.png" alt-text="Screenshot of the set up code scanning button.":::
45
45
46
46
4. In the **Set up** drop-down, select **Default**.
Review the [GitHub REST API docs](https://docs.github.com/rest/reference/code-scanning) for more information about the using the code scanning API.
31
+
Review the [GitHub REST API docs](https://docs.github.com/rest/code-scanning/code-scanning) for more information about the using the code scanning API.
32
32
33
33
#### CodeQL CLI
34
34
35
-
The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.com. The CodeQL CLI is free to use on public repositories that are maintained on GitHub.com, and available to use on private repositories that are owned by customers with an Advanced Security license. Download the CodeQL bundle from https://github.com/github/codeql-action/releases.
35
+
The CodeQL CLI is a standalone product that you can use to analyze code. Its main purpose is to generate a database representation of a codebase, a CodeQL database. Once the database is ready, you can query it interactively, or you can run a suite of queries to generate a set of results in SARIF format and upload the results to GitHub.com. The CodeQL CLI is free to use on public repositories that are maintained on GitHub.com, and available to use on private repositories that are owned by customers with an Advanced Security license. Download the CodeQL bundle from https://github.com/github/codeql-action/releases.
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/includes/4-configure-code-scanning.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ For example, you can edit GitHub's CodeQL analysis workflow to specify the frequ
6
6
7
7
### Switching from Default to Advanced Code Scanning Setup
8
8
9
-
If you already have a repository set up to use code scanning using the default setup method, you can switch to using the Advanced setup in the settings. Navigate to the **Code scanning** section under **Settings > Code security and analysis**, then select the three dots overflow icon (**...**). In the drop-down, select **Switch to advanced**, then follow the prompts to disable CodeQL and re-enable it with the advanced setup's generated workflow file.
9
+
If you already have a repository set up to use code scanning using the default setup method, you can switch to using the Advanced setup in the settings. Navigate to the **Code scanning** section under **Settings > Code security and analysis**, and then select the three dots overflow icon (**...**). In the drop-down, select **Switch to advanced**. Then, follow the prompts to disable CodeQL, and re-enable it with the advanced setup's generated workflow file.
10
10
11
11
## Edit code-scanning workflow
12
12
@@ -28,7 +28,7 @@ Review the following sections for some common code scanning configuration option
28
28
29
29
### Configure frequency
30
30
31
-
A common edit to the workflow file is to adjust the frequency with which code scanning occurs. You can configure the CodeQL analysis workflow to scan code on a schedule or when specific events occur in a repository. You can also edit the workflow file to scan code when someone pushes a change, and whenever a pull request is created. Adjusting this frequency prevents developers from introducing new vulnerabilities and errors into the code. Scanning code on a schedule informs you about the latest vulnerabilities and errors that GitHub, security researchers, and the community discover. Even when developers aren't actively maintaining the repository.
31
+
A common edit to the workflow file is to adjust the frequency with which code scanning occurs. You can configure the CodeQL analysis workflow to scan code on a schedule or when specific events occur in a repository. You can also edit the workflow file to scan code when someone pushes a change and whenever a pull request is created. Adjusting this frequency prevents developers from introducing new vulnerabilities and errors into the code. Scanning code on a schedule informs you about the latest vulnerabilities and errors that GitHub, security researchers, and the community discover. Even when developers aren't actively maintaining the repository.
32
32
33
33
#### Scan on Push
34
34
@@ -44,7 +44,7 @@ If you use the `pull_request` trigger, configured to scan the pull request's mer
44
44
45
45
### Define the severities causing pull request check failure
46
46
47
-
By default, only alerts with the severity level of `Error` or security severity level of `Critical` or `High` cause a pull-request check failure. Pull-request failures don't stop a code scan, but represent a blocker when trying to merge code. You can find the list of pull-request failures in the **Code scanning alerts** tab under your repository's **Security**. In your repository settings, you can change the levels of alert severities and of security severities that cause a pull request check failure.
47
+
By default, only alerts with the severity level of `Error` or security severity level of `Critical` or `High` cause a pull-request check failure. Pull-request failures don't stop a code scan but represent a blocker when trying to merge code. You can find the list of pull-request failures in the **Code scanning alerts** tab under your repository's **Security**. In your repository settings, you can change the levels of alert severities and of security severities that cause a pull request check failure.
48
48
49
49
1. On GitHub.com, navigate to the repository main page. Under your repository name, select **Settings**.
Copy file name to clipboardExpand all lines: learn-pr/github/configure-code-scanning/index.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ metadata:
10
10
ms.service: github
11
11
ms.topic: module
12
12
title: "Configure code scanning on GitHub"
13
-
summary: This module introduces you to code scanning and its features. You will learn how to implement code scanning using CodeQL, third party tools, and GitHub Actions.
13
+
summary: This module introduces you to code scanning and its features. You'll learn how to implement code scanning using CodeQL, third party tools, and GitHub Actions.
0 commit comments