Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Code scanning (Server) #105
Open
Projects
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Summary
We're integrating CodeQL analysis into GitHub, and building an interface for displaying static analysis results more generally. GitHub will show analysis results in the repository and pull request experiences.
Intended Outcome
We want high-quality, automated security review to be a native and positive part of the developer workflow. Integrating static analysis results directly into the PR experience will help engineering teams catch security vulnerabilities earlier.
How will it work?
Advanced Security users will be able to set up a CI workflow (e.g., using GitHub Actions or Jenkins) that runs CodeQL analysis on each pull request, or on a schedule, and posts the results to GitHub using a standard static analysis result format (SARIF). GitHub will determine which alerts are new as a result of the code changed in the pull request and surface any potential vulnerabilities in-line.