github
/
docs
зеркало из https://github.com/github/docs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Group user docs on code security into a new "product" - with more redirects (#18278)

This commit is contained in:
Felicity Chapman 2021-03-22 09:28:35 +00:00 коммит произвёл GitHub
Родитель c98d455a49
Коммит 28bec608c7
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
96 изменённых файлов: 2822 добавлений и 172 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
content/github/administering-a-repository/about-securing-your-repository.md → content/code-security/getting-started/about-securing-your-repository.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: About securing your repository
intro: '{% data variables.product.product_name %} provides a number of ways that you can help keep your repository secure.'
redirect_from:
- /github/administering-a-repository/about-securing-your-repository
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'

15
content/code-security/getting-started/index.md Normal file
Просмотреть файл

@ -0,0 +1,15 @@
---
title: Getting started with code security
shortTitle: Getting started
intro: 'Introduction to code security with {% data variables.product.product_name %}.'
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
### Table of Contents
{% link_in_list /about-securing-your-repository %}

21
content/code-security/index.md Normal file
Просмотреть файл

@ -0,0 +1,21 @@
---
title: Code security
shortTitle: Code security
intro: 'Learn how to keep the code stored in your repositories secure.'
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% link_with_intro /getting-started %}
{% link_with_intro /secret-security %}
{% link_with_intro /secure-coding %}
{% link_with_intro /security-advisories %}
{% link_with_intro /supply-chain-security %}

1
content/github/administering-a-repository/about-secret-scanning.md → content/code-security/secret-security/about-secret-scanning.md
Просмотреть файл

@ -6,6 +6,7 @@ redirect_from:
- /github/administering-a-repository/about-token-scanning
- /articles/about-token-scanning
- /articles/about-token-scanning-for-private-repositories
- /github/administering-a-repository/about-secret-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'

1
content/github/administering-a-repository/configuring-secret-scanning-for-your-repositories.md → content/code-security/secret-security/configuring-secret-scanning-for-your-repositories.md
Просмотреть файл

@ -4,6 +4,7 @@ intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans
permissions: 'People with admin permissions to a repository can enable {% data variables.product.prodname_secret_scanning %} for the repository.'
redirect_from:
- /github/administering-a-repository/configuring-secret-scanning-for-private-repositories
- /github/administering-a-repository/configuring-secret-scanning-for-your-repositories
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
free-pro-team: '*'

18
content/code-security/secret-security/index.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
---
title: Keeping secrets secure
shortTitle: Secret security
intro: 'Let {% data variables.product.company_short %} do the hard work of ensuring that tokens, private keys, and other code secrets are not exposed in your repository.'
product: '{% data reusables.gated-features.secret-scanning %}'
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- repositories
---
### Table of Contents
{% link_in_list /about-secret-scanning %}
{% link_in_list /configuring-secret-scanning-for-your-repositories %}
{% link_in_list /managing-alerts-from-secret-scanning %}

2
content/github/administering-a-repository/managing-alerts-from-secret-scanning.md → content/code-security/secret-security/managing-alerts-from-secret-scanning.md
Просмотреть файл

@ -2,6 +2,8 @@
title: Managing alerts from secret scanning
intro: You can view and close alerts for secrets checked in to your repository.
product: '{% data reusables.gated-features.secret-scanning %}'
redirect_from:
- /github/administering-a-repository/managing-alerts-from-secret-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'

65
content/code-security/secure-coding/about-code-scanning.md Normal file
Просмотреть файл

@ -0,0 +1,65 @@
---
title: About code scanning
intro: 'You can use {% data variables.product.prodname_code_scanning %} to find security vulnerabilities and errors in the code for your project on {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/managing-security-vulnerabilities/about-automated-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
### About {% data variables.product.prodname_code_scanning %}
{% data reusables.code-scanning.about-code-scanning %}
You can use {% data variables.product.prodname_code_scanning %} to find, triage, and prioritize fixes for existing problems in your code. {% data variables.product.prodname_code_scanning_capc %} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.
If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see
"[Webhook events and payloads](/developers/webhooks-and-events/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see "[{% data variables.product.prodname_code_scanning_capc %}](/rest/reference/code-scanning)."
To get started with {% data variables.product.prodname_code_scanning %}, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
### About {% data variables.product.prodname_codeql %}
You can use {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}, a semantic code analysis engine. {% data variables.product.prodname_codeql %} treats code as data, allowing you to find potential vulnerabilities in your code with greater confidence than traditional static analyzers.
{% data variables.product.prodname_ql %} is the query language that powers {% data variables.product.prodname_codeql %}. {% data variables.product.prodname_ql %} is an object-oriented logic programming language. {% data variables.product.company_short %}, language experts, and security researchers create the queries used for {% data variables.product.prodname_code_scanning %}, and the queries are open source. The community maintains and updates the queries to improve analysis and reduce false positives. For more information, see [{% data variables.product.prodname_codeql %}](https://securitylab.github.com/tools/codeql) on the GitHub Security Lab website.
{% data variables.product.prodname_code_scanning_capc %} with {% data variables.product.prodname_codeql %} supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages.
{% data reusables.code-scanning.supported-languages %}
You can view and contribute to the queries for {% data variables.product.prodname_code_scanning %} in the [`github/codeql`](https://github.com/github/codeql) repository. For more information, see [{% data variables.product.prodname_codeql %} queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/) in the {% data variables.product.prodname_codeql %} documentation.
{% if currentVersion == "free-pro-team@latest" %}
### About billing for {% data variables.product.prodname_code_scanning %}
{% data variables.product.prodname_code_scanning_capc %} uses {% data variables.product.prodname_actions %}, and each run of a {% data variables.product.prodname_code_scanning %} workflow consumes minutes for {% data variables.product.prodname_actions %}. For more information, see "[About billing for {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-actions)."
{% endif %}
### About third-party code scanning tools
{% data reusables.code-scanning.you-can-upload-third-party-analysis %}
{% data reusables.code-scanning.interoperable-with-tools-that-output-sarif %}
{% data reusables.code-scanning.get-started-uploading-third-party-data %}
### Further reading
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}
- "[About securing your repository](/github/administering-a-repository/about-securing-your-repository)"{% endif %}
- [{% data variables.product.prodname_security %}](https://securitylab.github.com/)
- [OASIS Static Analysis Results Interchange Format (SARIF) TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif) on the OASIS Committee website

31
content/code-security/secure-coding/about-integration-with-code-scanning.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
---
title: About integration with code scanning
shortTitle: About integration
intro: 'You can perform {% data variables.product.prodname_code_scanning %} externally and then display the results in {% data variables.product.prodname_dotcom %}, or set up webhooks that listen to {% data variables.product.prodname_code_scanning %} activity in your repository.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
As an alternative to running {% data variables.product.prodname_code_scanning %} within {% data variables.product.prodname_dotcom %}, you can perform analysis elsewhere and then upload the results. Alerts for {% data variables.product.prodname_code_scanning %} that you run externally are displayed in the same way as those for {% data variables.product.prodname_code_scanning %} that you run within {% data variables.product.prodname_dotcom %}. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
If you use a third-party static analysis tool that can produce results as Static Analysis Results Interchange Format (SARIF) 2.1.0 data, you can upload this to {% data variables.product.prodname_dotcom %}. For more information, see "[Uploading a SARIF file to GitHub](/code-security/secure-coding/uploading-a-sarif-file-to-github)."
### Integrations with webhooks
You can use {% data variables.product.prodname_code_scanning %} webhooks to build or set up integrations, such as [{% data variables.product.prodname_github_app %}s](/apps/building-github-apps/) or [{% data variables.product.prodname_oauth_app %}s](/apps/building-oauth-apps/), that subscribe to {% data variables.product.prodname_code_scanning %} events in your repository. For example, you could build an integration that creates an issue on {% data variables.product.product_name %} or sends you a Slack notification when a new {% data variables.product.prodname_code_scanning %} alert is added in your repository. For more information, see "[Creating webhooks](/developers/webhooks-and-events/creating-webhooks)" and "[Webhook events and payloads](/developers/webhooks-and-events/webhook-events-and-payloads#code_scanning_alert)."
### Further reading
* "[About {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/about-code-scanning)"
* "[Using {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} with your existing CI system](/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system)"
* "[SARIF support for {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/sarif-support-for-code-scanning)"

16
content/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors.md Normal file
Просмотреть файл

@ -0,0 +1,16 @@
---
title: Automatically scanning your code for vulnerabilities and errors
shortTitle: Scanning automatically
intro: 'You can find vulnerabilities and errors in your project''s code on {% data variables.product.prodname_dotcom %}, as well as view, triage, understand, and resolve the related {% data variables.product.prodname_code_scanning %} alerts.'
mapTopic: true
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---

323
content/code-security/secure-coding/configuring-code-scanning.md Normal file
Просмотреть файл

@ -0,0 +1,323 @@
---
title: Configuring code scanning
intro: 'You can configure how {% data variables.product.prodname_dotcom %} scans the code in your project for vulnerabilities and errors.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_code_scanning %} for the repository.'
miniTocMaxHeadingLevel: 4
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
### About {% data variables.product.prodname_code_scanning %} configuration
You can run {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %}, using {% data variables.product.prodname_actions %}, or from your continuous integration (CI) system, using the {% data variables.product.prodname_codeql_runner %}. For more information about {% data variables.product.prodname_actions %}, see "[About {% data variables.product.prodname_actions %}](/actions/getting-started-with-github-actions/about-github-actions)." For more information about the {% data variables.product.prodname_codeql_runner %}, see "[Running {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system)."
This article is about running {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %}.
Before you can configure {% data variables.product.prodname_code_scanning %} for a repository, you must set up {% data variables.product.prodname_code_scanning %} by adding a {% data variables.product.prodname_actions %} workflow to the repository. For more information, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
{% data reusables.code-scanning.edit-workflow %}
{% data variables.product.prodname_codeql %} analysis is just one type of {% data variables.product.prodname_code_scanning %} you can do in {% data variables.product.prodname_dotcom %}. {% data variables.product.prodname_marketplace %}{% if currentVersion ver_gt "enterprise-server@2.21" %} on {% data variables.product.prodname_dotcom_the_website %}{% endif %} contains other {% data variables.product.prodname_code_scanning %} workflows you can use. {% if currentVersion == "free-pro-team@latest" %}You can find a selection of these on the "Get started with {% data variables.product.prodname_code_scanning %}" page, which you can access from the **{% octicon "shield" aria-label="The shield symbol" %} Security** tab.{% endif %} The specific examples given in this article relate to the {% data variables.product.prodname_codeql_workflow %} file.
### Editing a {% data variables.product.prodname_code_scanning %} workflow
{% data variables.product.prodname_dotcom %} saves workflow files in the _.github/workflows_ directory of your repository. You can find a workflow you have added by searching for its file name. For example, by default, the workflow file for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} is called _codeql-analysis.yml_.
1. In your repository, browse to the workflow file you want to edit.
1. In the upper right corner of the file view, to open the workflow editor, click {% octicon "pencil" aria-label="The edit icon" %}.
![Edit workflow file button](/assets/images/help/repository/code-scanning-edit-workflow-button.png)
1. After you have edited the file, click **Start commit** and complete the "Commit changes" form. You can choose to commit directly to the current branch, or create a new branch and start a pull request.
![Commit update to codeql.yml workflow](/assets/images/help/repository/code-scanning-workflow-update.png)
For more information about editing workflow files, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
### Configuring frequency
You can configure the {% data variables.product.prodname_codeql_workflow %} to scan code on a schedule or when specific events occur in a repository.
Scanning code when someone pushes a change, and whenever a pull request is created, prevents developers from introducing new vulnerabilities and errors into the code. Scanning code on a schedule informs you about the latest vulnerabilities and errors that {% data variables.product.company_short %}, security researchers, and the community discover, even when developers aren't actively maintaining the repository.
#### Scanning on push
By default, the {% data variables.product.prodname_codeql_workflow %} uses the `on.push` event to trigger a code scan on every push to the default branch of the repository and any protected branches. For {% data variables.product.prodname_code_scanning %} to be triggered on a specified branch, the workflow must exist in that branch. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#on)."
#### Scanning pull requests
The default {% data variables.product.prodname_codeql_workflow %} uses the `pull_request` event to trigger a code scan on pull requests targeted against the default branch. {% if currentVersion ver_gt "enterprise-server@2.21" %}The `pull_request` event is not triggered if the pull request was opened from a private fork.{% else %}If a pull request is from a private fork, the `pull_request` event will only be triggered if you've selected the "Run workflows from fork pull requests" option in the repository settings. For more information, see "[Disabling or limiting {% data variables.product.prodname_actions %} for a repository](/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository#enabling-workflows-for-private-repository-forks)."{% endif %}
For more information about the `pull_request` event, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags)."
#### Avoiding unnecessary scans of pull requests
You might want to avoid a code scan being triggered on specific pull requests targeted against the default branch, irrespective of which files have been changed. You can configure this by specifying `on:pull_request:paths-ignore` or `on:pull_request:paths` in the {% data variables.product.prodname_code_scanning %} workflow. For example, if the only changes in a pull request are to files with the file extensions `.md` or `.txt` you can use the following `paths-ignore` array.
``` yaml
on:
push:
branches: [main, protected]
pull_request:
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*.txt'
```
{% note %}
**Notes**
* `on:pull_request:paths-ignore` and `on:pull_request:paths` set conditions that determine whether the actions in the workflow will run on a pull request. They don't determine what files will be analyzed when the actions _are_ run. When a pull request contains any files that are not matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, the workflow runs the actions and scans all of the files changed in the pull request, including those matched by `on:pull_request:paths-ignore` or `on:pull_request:paths`, unless the files have been excluded. For information on how to exclude files from analysis, see "[Specifying directories to scan](#specifying-directories-to-scan)."
* For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} workflow files, don't use the `paths-ignore` or `paths` keywords with the `on:push` event as this is likely to cause missing analyses. For accurate results, {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} needs to be able to compare new changes with the analysis of the previous commit.
{% endnote %}
For more information about using `on:pull_request:paths-ignore` and `on:pull_request:paths` to determine when a workflow will run for a pull request, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestpaths)."
#### Scanning on a schedule
If you use the default {% data variables.product.prodname_codeql_workflow %}, the workflow will scan the code in your repository once a week, in addition to the scans triggered by events. To adjust this schedule, edit the `cron` value in the workflow. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#onschedule)."
{% note %}
**Note**: {% data variables.product.prodname_dotcom %} only runs scheduled jobs that are in workflows on the default branch. Changing the schedule in a workflow on any other branch has no effect until you merge the branch into the default branch.
{% endnote %}
#### Example
The following example shows a {% data variables.product.prodname_codeql_workflow %} for a particular repository that has a default branch called `main` and one protected branch called `protected`.
``` yaml
on:
push:
branches: [main, protected]
pull_request:
branches: [main]
schedule:
- cron: '0 15 * * 0'
```
This workflow scans:
* Every push to the default branch and the protected branch
* Every pull request to the default branch
* The default branch at 3 P.M. every Sunday
### Specifying an operating system
If your code requires a specific operating system to compile, you can configure the operating system in your {% data variables.product.prodname_codeql_workflow %}. Edit the value of `jobs.analyze.runs-on` to specify the operating system for the machine that runs your {% data variables.product.prodname_code_scanning %} actions. {% if currentVersion ver_gt "enterprise-server@2.21" %}You specify the operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.{% else %}
If you choose to use a self-hosted runner for code scanning, you can specify an operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.{% endif %}
``` yaml
jobs:
analyze:
name: Analyze
runs-on: [self-hosted, ubuntu-latest]
```
{% if currentVersion == "free-pro-team@latest" %}For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)" and "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."{% endif %}
{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} supports the latest versions of Ubuntu, Windows, and macOS. Typical values for this setting are therefore: `ubuntu-latest`, `windows-latest`, and `macos-latest`. For more information, see {% if currentVersion ver_gt "enterprise-server@2.21" %}"[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#self-hosted-runners)" and "[Using labels with self-hosted runners](/actions/hosting-your-own-runners/using-labels-with-self-hosted-runners){% else %}"[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idruns-on){% endif %}."
{% if currentVersion ver_gt "enterprise-server@2.21" %}You must ensure that Git is in the PATH variable on your self-hosted runners.{% else %}If you use a self-hosted runner, you must ensure that Git is in the PATH variable.{% endif %}
### Changing the languages that are analyzed
{% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} automatically detects code written in the supported languages.
{% data reusables.code-scanning.supported-languages %}
The default {% data variables.product.prodname_codeql_workflow %} file contains a build matrix called `language` which lists the languages in your repository that are analyzed. {% data variables.product.prodname_codeql %} automatically populates this matrix when you add {% data variables.product.prodname_code_scanning %} to a repository. Using the `language` matrix optimizes {% data variables.product.prodname_codeql %} to run each analysis in parallel. We recommend that all workflows adopt this configuration due to the performance benefits of parallelizing builds. For more information about build matrices, see "[Managing complex workflows](/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix)."
{% data reusables.code-scanning.specify-language-to-analyze %}
If your workflow uses the `language` matrix then {% data variables.product.prodname_codeql %} is hardcoded to analyze only the languages in the matrix. To change the languages you want to analyze, edit the value of the matrix variable. You can remove a language to prevent it being analyzed or you can add a language that was not present in the repository when {% data variables.product.prodname_code_scanning %} was set up. For example, if the repository initially only contained JavaScript when {% data variables.product.prodname_code_scanning %} was set up, and you later added Python code, you will need to add `python` to the matrix.
```yaml
jobs:
analyze:
name: Analyze
...
strategy:
fail-fast: false
matrix:
language: ['javascript', 'python']
```
If your workflow does not contain a matrix called `language`, then {% data variables.product.prodname_codeql %} is configured to run analysis sequentially. If you don't specify languages in the workflow, {% data variables.product.prodname_codeql %} automatically detects, and attempts to analyze, any supported languages in the repository. If you want to choose which languages to analyze, without using a matrix, you can use the `languages` parameter under the `init` action.
```yaml
- uses: github/codeql-action/init@v1
with:
languages: cpp, csharp, python
```
{% if currentVersion == "free-pro-team@latest" %}
### Analyzing Python dependencies
For GitHub-hosted runners that use Linux only, the {% data variables.product.prodname_codeql_workflow %} will try to auto-install Python dependencies to give more results for the CodeQL analysis. You can control this behavior by specifying the `setup-python-dependencies` parameter for the action called by the "Initialize CodeQL" step. By default, this parameter is set to `true`:
- If the repository contains code written in Python, the "Initialize CodeQL" step installs the necessary dependencies on the GitHub-hosted runner. If the auto-install succeeds, the action also sets the environment variable `CODEQL_PYTHON` to the Python executable file that includes the dependencies.
- If the repository doesn't have any Python dependencies, or the dependencies are specified in an unexpected way, you'll get a warning and the action will continue with the remaining jobs. The action can run successfully even when there are problems interpreting dependencies, but the results may be incomplete.
Alternatively, you can install Python dependencies manually on any operating system. You will need to add `setup-python-dependencies` and set it to `false`, as well as set `CODEQL_PYTHON` to the Python executable that includes the dependencies, as shown in this workflow extract:
```yaml
jobs:
CodeQL-Build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
if [ -f requirements.txt ];
then pip install -r requirements.txt;
fi
# Set the `CODEQL-PYTHON` environment variable to the Python executable
# that includes the dependencies
echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: python
# Override the default behavior so that the action doesn't attempt
# to auto-install Python dependencies
setup-python-dependencies: false
```
{% endif %}
### Running additional queries
{% data reusables.code-scanning.run-additional-queries %}
To add one or more queries, add a `with: queries:` entry within the `uses: github/codeql-action/init@v1` section of the workflow. If the queries are in a private repository, use the `external-repository-token` parameter to specify a token that has access to the private repository.
{% raw %}
``` yaml
- uses: github/codeql-action/init@v1
with:
queries: COMMA-SEPARATED LIST OF PATHS
# Optional. Provide a token to access private repositories.
external-repository-token: ${{ secrets.ACCESS_TOKEN }}
```
{% endraw %}
You can also specify query suites in the value of `queries`. Query suites are collections of queries, usually grouped by purpose or language.
{% data reusables.code-scanning.codeql-query-suites %}
If you are also using a configuration file for custom settings, any additional queries specified in your workflow are used instead of any specified in the configuration file. If you want to run the combined set of additional queries specified here and in the configuration file, prefix the value of `queries` in the workflow with the `+` symbol. For more information, see "[Using a custom configuration file](#using-a-custom-configuration-file)."
In the following example, the `+` symbol ensures that the specified additional queries are used together with any queries specified in the referenced configuration file.
{% raw %}
``` yaml
- uses: github/codeql-action/init@v1
with:
config-file: ./.github/codeql/codeql-config.yml
queries: +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main
external-repository-token: ${{ secrets.ACCESS_TOKEN }}
```
{% endraw %}
### Using a custom configuration file
As an alternative to specifying which queries to run in the workflow file, you can do this in a separate configuration file. You can also use a configuration file to disable the default queries and to specify which directories to scan during analysis.
In the workflow file, use the `config-file` parameter of the `init` action to specify the path to the configuration file you want to use. This example loads the configuration file _./.github/codeql/codeql-config.yml_.
``` yaml
- uses: github/codeql-action/init@v1
with:
config-file: ./.github/codeql/codeql-config.yml
```
{% data reusables.code-scanning.custom-configuration-file %}
If the configuration file is located in an external private repository, use the `external-repository-token` parameter of the `init` action to specify a token that has access to the private repository.
{% raw %}
```yaml
uses: github/codeql-action/init@v1
with:
external-repository-token: ${{ secrets.ACCESS_TOKEN }}
```
{% endraw %}
The settings in the configuration file are written in YAML format.
#### Specifying additional queries
You specify additional queries in a `queries` array. Each element of the array contains a `uses` parameter with a value that identifies a single query file, a directory containing query files, or a query suite definition file.
``` yaml
queries:
- uses: ./my-basic-queries/example-query.ql
- uses: ./my-advanced-queries
- uses: ./codeql-qlpacks/complex-python-qlpack/rootAndBar.qls
```
Optionally, you can give each array element a name, as shown in the example configuration files below.
For more information about additional queries, see "[Running additional queries](#running-additional-queries)" above.
#### Disabling the default queries
If you only want to run custom queries, you can disable the default security queries by using `disable-default-queries: true`.
#### Specifying directories to scan
For the interpreted languages that {% data variables.product.prodname_codeql %} supports (Python and JavaScript/TypeScript), you can restrict {% data variables.product.prodname_code_scanning %} to files in specific directories by adding a `paths` array to the configuration file. You can exclude the files in specific directories from analysis by adding a `paths-ignore` array.
``` yaml
paths:
- src
paths-ignore:
- src/node_modules
- '**/*.test.js'
```
{% note %}
**Note**:
* The `paths` and `paths-ignore` keywords, used in the context of the {% data variables.product.prodname_code_scanning %} configuration file, should not be confused with the same keywords when used for `on.<push|pull_request>.paths` in a workflow. When they are used to modify `on.<push|pull_request>` in a workflow, they determine whether the actions will be run when someone modifies code in the specified directories. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestpaths)."
* `**` characters can only be at the start or end of a line, or surrounded by slashes, and you can't mix `**` and other characters. For example, `foo/**`, `**/foo`, and `foo/**/bar` are all allowed syntax, but `**foo` isn't. However you can use single stars along with other characters, as shown in the example. You'll need to quote anything that contains a `*` character.
{% endnote %}
For compiled languages, if you want to limit {% data variables.product.prodname_code_scanning %} to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "[Configuring the {% data variables.product.prodname_codeql %} workflow for compiled languages](/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
You can quickly analyze small portions of a monorepo when you modify code in specific directories. You'll need to both exclude directories in your build steps and use the `paths-ignore` and `paths` keywords for [`on.<push|pull_request>`](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestpaths) in your workflow.
#### Example configuration files
{% data reusables.code-scanning.example-configuration-files %}
### Configuring {% data variables.product.prodname_code_scanning %} for compiled languages
{% data reusables.code-scanning.autobuild-compiled-languages %} {% data reusables.code-scanning.analyze-go %}
{% data reusables.code-scanning.autobuild-add-build-steps %} For more information about how to configure {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for compiled languages, see "[Configuring the {% data variables.product.prodname_codeql %} workflow for compiled languages](/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages)."
### Uploading {% data variables.product.prodname_code_scanning %} data to {% data variables.product.prodname_dotcom %}
{% data variables.product.prodname_dotcom %} can display code analysis data generated externally by a third-party tool. You can upload code analysis data with the `upload-sarif` action. For more information, see "[Uploading a SARIF file to GitHub](/code-security/secure-coding/uploading-a-sarif-file-to-github)."

201
content/code-security/secure-coding/configuring-codeql-code-scanning-in-your-ci-system.md Normal file
Просмотреть файл

@ -0,0 +1,201 @@
---
title: Configuring CodeQL code scanning in your CI system
shortTitle: Configuring in your CI
intro: 'You can configure how the {% data variables.product.prodname_codeql_runner %} scans the code in your project and uploads the results to {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
miniTocMaxHeadingLevel: 4
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta-codeql-runner %}
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
### About configuring {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system
To integrate {% data variables.product.prodname_code_scanning %} into your CI system, you can use the {% data variables.product.prodname_codeql_runner %}. For more information, see "[Running {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system)."
In general, you invoke the {% data variables.product.prodname_codeql_runner %} as follows.
```shell
$ /path/to-runner/codeql-runner-OS <COMMAND> <FLAGS>
```
`/path/to-runner/` depends on where you've downloaded the {% data variables.product.prodname_codeql_runner %} on your CI system. `codeql-runner-OS` depends on the operating system you use.
There are three versions of the {% data variables.product.prodname_codeql_runner %}, `codeql-runner-linux`, `codeql-runner-macos`, and `codeql-runner-win`, for Linux, macOS, and Windows systems respectively.
To customize the way the {% data variables.product.prodname_codeql_runner %} scans your code, you can use flags, such as `--languages` and `--queries`, or you can specify custom settings in a separate configuration file.
### Scanning pull requests
Scanning code whenever a pull request is created prevents developers from introducing new vulnerabilities and errors into the code.
To scan a pull request, run the `analyze` command and use the `--ref` flag to specify the pull request. The reference is `refs/pull/<PR-number>/head` or `refs/pull/<PR-number>/merge`, depending on whether you have checked out the HEAD commit of the pull request branch or a merge commit with the base branch.
```shell
$ /path/to-runner/codeql-runner-linux analyze --ref refs/pull/42/merge
```
{% note %}
**Note**: If you analyze code with a third-party tool and want the results to appear as pull request checks, you must run the `upload` command and use the `--ref` flag to specify the pull request instead of the branch. The reference is `refs/pull/<PR-number>/head` or `refs/pull/<PR-number>/merge`.
{% endnote %}
### Overriding automatic language detection
The {% data variables.product.prodname_codeql_runner %} automatically detects and scans code written in the supported languages.
{% data reusables.code-scanning.supported-languages %}
{% data reusables.code-scanning.specify-language-to-analyze %}
To override automatic language detection, run the `init` command with the `--languages` flag, followed by a comma-separated list of language keywords. The keywords for the supported languages are `cpp`, `csharp`, `go`, `java`, `javascript`, and `python`.
```shell
$ /path/to-runner/codeql-runner-linux init --languages cpp,java
```
### Running additional queries
{% data reusables.code-scanning.run-additional-queries %}
{% data reusables.code-scanning.codeql-query-suites %}
To add one or more queries, pass a comma-separated list of paths to the `--queries` flag of the `init` command. You can also specify additional queries in a configuration file.
If you also are using a configuration file for custom settings, and you are also specifying additional queries with the `--queries` flag, the {% data variables.product.prodname_codeql_runner %} uses the additional queries specified with the <nobr>`--queries`</nobr> flag instead of any in the configuration file.
If you want to run the combined set of additional queries specified with the flag and in the configuration file, prefix the value passed to <nobr>`--queries`</nobr> with the `+` symbol.
For more information, see "[Using a custom configuration file](#using-a-custom-configuration-file)."
In the following example, the `+` symbol ensures that the {% data variables.product.prodname_codeql_runner %} uses the additional queries together with any queries specified in the referenced configuration file.
```shell
$ /path/to-runner/codeql-runner-linux init --config-file .github/codeql/codeql-config.yml
--queries +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main
```
### Using a custom configuration file
Instead of passing additional information to the {% data variables.product.prodname_codeql_runner %} commands, you can specify custom settings in a separate configuration file.
The configuration file is a YAML file. It uses syntax similar to the workflow syntax for {% data variables.product.prodname_actions %}, as illustrated in the examples below. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions)."
Use the `--config-file` flag of the `init` command to specify the configuration file. The value of <nobr>`--config-file`</nobr> is the path to the configuration file that you want to use. This example loads the configuration file _.github/codeql/codeql-config.yml_.
```shell
$ /path/to-runner/codeql-runner-linux init --config-file .github/codeql/codeql-config.yml
```
{% data reusables.code-scanning.custom-configuration-file %}
#### Example configuration files
{% data reusables.code-scanning.example-configuration-files %}
### Configuring {% data variables.product.prodname_code_scanning %} for compiled languages
For the compiled languages C/C++, C#, and Java, {% data variables.product.prodname_codeql %} builds the code before analyzing it. {% data reusables.code-scanning.analyze-go %}
For many common build systems, the {% data variables.product.prodname_codeql_runner %} can build the code automatically. To attempt to build the code automatically, run `autobuild` between the `init` and `analyze` steps. Note that if your repository requires a specific version of a build tool, you may need to install the build tool manually first.
The `autobuild` process only ever attempts to build _one_ compiled language for a repository. The language automatically selected for analysis is the language with the most files. If you want to choose a language explicitly, use the `--language` flag of the `autobuild` command.
```shell
$ /path/to-runner/codeql-runner-linux autobuild --language csharp
```
If the `autobuild` command can't build your code, you can run the build steps yourself, between the `init` and `analyze` steps. For more information, see "[Running {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system#compiled-language-example)."
### Uploading {% data variables.product.prodname_code_scanning %} data to {% data variables.product.prodname_dotcom %}
By default, the {% data variables.product.prodname_codeql_runner %} uploads results from {% data variables.product.prodname_code_scanning %} when you run the `analyze` command. You can also upload SARIF files separately, by using the `upload` command.
Once you've uploaded the data, {% data variables.product.prodname_dotcom %} displays the alerts in your repository.
- If you uploaded to a pull request, for example `--ref refs/pull/42/merge` or `--ref refs/pull/42/head`, then the results appear as alerts in a pull request check. For more information, see "[Triaging code scanning alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
- If you uploaded to a branch, for example `--ref refs/heads/my-branch`, then the results appear in the **Security** tab for your repository. For more information, see "[Managing code scanning alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."
### {% data variables.product.prodname_codeql_runner %} command reference
The {% data variables.product.prodname_codeql_runner %} supports the following commands and flags.
#### `init`
Initializes the {% data variables.product.prodname_codeql_runner %} and creates a {% data variables.product.prodname_codeql %} database for each language to be analyzed.
| Flag | Required | Input value |
| ---- |:--------:| ----------- |
| `--repository` | ✓ | Name of the repository to initialize. |
| `--github-url` | ✓ | URL of the {% data variables.product.prodname_dotcom %} instance where your repository is hosted. |
| `--github-auth` | ✓ | A {% data variables.product.prodname_github_apps %} token or personal access token. |
| `--languages` | | Comma-separated list of languages to analyze. By default, the {% data variables.product.prodname_codeql_runner %} detects and analyzes all supported languages in the repository. |
| `--queries` | | Comma-separated list of additional queries to run, in addition to the default suite of security queries. |
| `--config-file` | | Path to custom configuration file. |
| `--codeql-path` | | Path to a copy of the {% data variables.product.prodname_codeql %} CLI executable to use. By default, the {% data variables.product.prodname_codeql_runner %} downloads a copy. |
| `--temp-dir` | | Directory where temporary files are stored. The default is `./codeql-runner`. |
| `--tools-dir` | | Directory where {% data variables.product.prodname_codeql %} tools and other files are stored between runs. The default is a subdirectory of the home directory. |
| <nobr>`--checkout-path`</nobr> | | The path to the checkout of your repository. The default is the current working directory. |
| `--debug` | | None. Prints more verbose output. |
| `-h`, `--help` | | None. Displays help for the command. |
#### `autobuild`
Attempts to build the code for the compiled languages C/C++, C#, and Java. For those languages, {% data variables.product.prodname_codeql %} builds the code before analyzing it. Run `autobuild` between the `init` and `analyze` steps.
| Flag | Required | Input value |
| ---- |:--------:| ----------- |
| `--language` | | The language to build. By default, the {% data variables.product.prodname_codeql_runner %} builds the compiled language with the most files. |
| <nobr>`--temp-dir`</nobr> | | Directory where temporary files are stored. The default is `./codeql-runner`. |
| `--debug` | | None. Prints more verbose output. |
| `-h`, `--help` | | None. Displays help for the command. |
#### `analyze`
Analyzes the code in the {% data variables.product.prodname_codeql %} databases and uploads results to {% data variables.product.product_name %}.
| Flag | Required | Input value |
| ---- |:--------:| ----------- |
| `--repository` | ✓ | Name of the repository to analyze. |
| `--commit` | ✓ | SHA of the commit to analyze. In Git and in Azure DevOps, this corresponds to the value of `git rev-parse HEAD`. In Jenkins, this corresponds to `$GIT_COMMIT`. |
| `--ref` | ✓ | Name of the reference to analyze, for example `refs/heads/main` or `refs/pull/42/merge`. In Git or in Jenkins, this corresponds to the value of `git symbolic-ref HEAD`. In Azure DevOps, this corresponds to `$(Build.SourceBranch)`. |
| `--github-url` | ✓ | URL of the {% data variables.product.prodname_dotcom %} instance where your repository is hosted. |
| `--github-auth` | ✓ | A {% data variables.product.prodname_github_apps %} token or personal access token. |
| <nobr>`--checkout-path`</nobr> | | The path to the checkout of your repository. The default is the current working directory. |
| `--no-upload` | | None. Stops the {% data variables.product.prodname_codeql_runner %} from uploading the results to {% data variables.product.product_name %}. |
| `--output-dir` | | Directory where the output SARIF files are stored. The default is in the directory of temporary files. |
| `--ram` | | Amount of memory to use when running queries. The default is to use all available memory. |
| <nobr>`--no-add-snippets`</nobr> | | None. Excludes code snippets from the SARIF output. |
| `--threads` | | Number of threads to use when running queries. The default is to use all available cores. |
| `--temp-dir` | | Directory where temporary files are stored. The default is `./codeql-runner`. |
| `--debug` | | None. Prints more verbose output. |
| `-h`, `--help` | | None. Displays help for the command. |
#### `upload`
Uploads SARIF files to {% data variables.product.product_name %}.
{% note %}
**Note**: If you analyze code with the CodeQL runner, the `analyze` command uploads SARIF results by default. You can use the `upload` command to upload SARIF results that were generated by other tools.
{% endnote %}
| Flag | Required | Input value |
| ---- |:--------:| ----------- |
| `--sarif-file` | ✓ | SARIF file to upload, or a directory containing multiple SARIF files. |
| `--repository` | ✓ | Name of the repository that was analyzed. |
| `--commit` | ✓ | SHA of the commit that was analyzed. In Git and in Azure DevOps, this corresponds to the value of `git rev-parse HEAD`. In Jenkins, this corresponds to `$GIT_COMMIT`. |
| `--ref` | ✓ | Name of the reference that was analyzed, for example `refs/heads/main` or `refs/pull/42/merge`. In Git or in Jenkins, this corresponds to the value of `git symbolic-ref HEAD`. In Azure DevOps, this corresponds to `$(Build.SourceBranch)`. |
| `--github-url` | ✓ | URL of the {% data variables.product.prodname_dotcom %} instance where your repository is hosted. |
| `--github-auth` | ✓ | A {% data variables.product.prodname_github_apps %} token or personal access token. |
| <nobr>`--checkout-path`</nobr> | | The path to the checkout of your repository. The default is the current working directory. |
| `--debug` | | None. Prints more verbose output. |
| `-h`, `--help` | | None. Displays help for the command. |

124
content/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages.md Normal file
Просмотреть файл

@ -0,0 +1,124 @@
---
title: Configuring the CodeQL workflow for compiled languages
shortTitle: Configuring for compiled languages
intro: 'You can configure how {% data variables.product.prodname_dotcom %} uses the {% data variables.product.prodname_codeql_workflow %} to scan code written in compiled languages for vulnerabilities and errors.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have write permissions to a repository, you can configure {% data variables.product.prodname_code_scanning %} for that repository.'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-for-compiled-languages
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-action-for-compiled-languages
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-workflow-for-compiled-languages
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
### About the {% data variables.product.prodname_codeql_workflow %} and compiled languages
You set up {% data variables.product.prodname_dotcom %} to run {% data variables.product.prodname_code_scanning %} for your repository by adding a {% data variables.product.prodname_actions %} workflow to the repository. For {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you add the {% data variables.product.prodname_codeql_workflow %}. For more information, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
{% data reusables.code-scanning.edit-workflow %}
For general information about configuring {% data variables.product.prodname_code_scanning %} and editing workflow files, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning)" and "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
### About autobuild for {% data variables.product.prodname_codeql %}
Code scanning works by running queries against one or more databases. Each database contains a representation of all of the code in a single language in your repository. For the compiled languages C/C++, C#, and Java, the process of populating this database involves building the code and extracting data. {% data reusables.code-scanning.analyze-go %}
{% data reusables.code-scanning.autobuild-compiled-languages %}
If your workflow uses a `language` matrix, `autobuild` attempts to build each of the compiled languages listed in the matrix. Without a matrix `autobuild` attempts to build the supported compiled language that has the most source files in the repository. With the exception of Go, analysis of other compiled languages in your repository will fail unless you supply explicit build commands.
{% note %}
{% if currentVersion == "github-ae@latest" %}**Note**: For instructions on how to make sure your {% data variables.actions.hosted_runner %} has the required software installed, see "[Creating custom images](/actions/using-github-hosted-runners/creating-custom-images)."
{% else %}
**Note**: If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. For more information, see "[Specifications for {% data variables.product.prodname_dotcom %}-hosted runners](/actions/reference/specifications-for-github-hosted-runners/#supported-software)".
{% endif %}
{% endnote %}
#### C/C++
| Supported system type | System name |
|----|----|
| Operating system | Windows, macOS, and Linux |
| Build system | Windows: MSbuild and build scripts<br/>Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts |
The behavior of the `autobuild` step varies according to the operating system that the extraction runs on. On Windows, the `autobuild` step attempts to autodetect a suitable build method for C/C++ using the following approach:
1. Invoke `MSBuild.exe` on the solution (`.sln`) or project (`.vcxproj`) file closest to the root.
If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
2. Invoke a script that looks like a build script—_build.bat_, _build.cmd_, _and build.exe_ (in that order).
On Linux and macOS, the `autobuild` step reviews the files present in the repository to determine the build system used:
1. Look for a build system in the root directory.
2. If none are found, search subdirectories for a unique directory with a build system for C/C++.
3. Run an appropriate command to configure the system.
#### C#
| Supported system type | System name |
|----|----|
| Operating system | Windows and Linux |
| Build system | .NET and MSbuild, as well as build scripts |
The `autobuild` process attempts to autodetect a suitable build method for C# using the following approach:
1. Invoke `dotnet build` on the solution (`.sln`) or project (`.csproj`) file closest to the root.
2. Invoke `MSbuild` (Linux) or `MSBuild.exe` (Windows) on the solution or project file closest to the root.
If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
3. Invoke a script that looks like a build script—_build_ and _build.sh_ (in that order, for Linux) or _build.bat_, _build.cmd_, _and build.exe_ (in that order, for Windows).
#### Java
| Supported system type | System name |
|----|----|
| Operating system | Windows, macOS, and Linux (no restriction) |
| Build system | Gradle, Maven and Ant |
The `autobuild` process tries to determine the build system for Java codebases by applying this strategy:
1. Search for a build file in the root directory. Check for Gradle then Maven then Ant build files.
2. Run the first build file found. If both Gradle and Maven files are present, the Gradle file is used.
3. Otherwise, search for build files in direct subdirectories of the root directory. If only one subdirectory contains build files, run the first file identified in that subdirectory (using the same preference as for 1). If more than one subdirectory contains build files, report an error.
### Adding build steps for a compiled language
{% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning#editing-a-code-scanning-workflow)."
After removing the `autobuild` step, uncomment the `run` step and add build commands that are suitable for your repository. The workflow `run` step runs command-line programs using the operating system's shell. You can modify these commands and add more commands to customize the build process.
``` yaml
- run: |
make bootstrap
make release
```
For more information about the `run` keyword, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun)."
If your repository contains multiple compiled languages, you can specify language-specific build commands. For example, if your repository contains C/C++, C# and Java, and `autobuild` correctly builds C/C++ and C# but fails to build Java, you could use the following configuration in your workflow, after the `init` step. This specifies build steps for Java while still using `autobuild` for C/C++ and C#:
```yaml
- if: matrix.language == 'cpp' || matrix.language == 'csharp'
name: Autobuild
uses: github/codeql-action/autobuild@v1
- if: matrix.language == 'java'
name: Build Java
run: |
make bootstrap
make release
```
For more information about the `if` conditional, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsif)."
For more tips and tricks about why `autobuild` won't build your code, see "[Troubleshooting the {% data variables.product.prodname_codeql %} workflow](/code-security/secure-coding/troubleshooting-the-codeql-workflow)."
If you added manual build steps for compiled languages and {% data variables.product.prodname_code_scanning %} is still not working on your repository, contact {% data variables.contact.contact_support %}.

35
content/code-security/secure-coding/index.md Normal file
Просмотреть файл

@ -0,0 +1,35 @@
---
title: Finding security vulnerabilities and errors in your code
shortTitle: Secure coding
intro: 'Keep your code secure by using secret scanning to identify and fix potential security vulnerabilities and other errors in your code.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/managing-security-vulnerabilities/finding-security-vulnerabilities-in-your-projects-code
- /github/finding-security-vulnerabilities-and-errors-in-your-code
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
### Table of Contents
{% topic_link_in_list /automatically-scanning-your-code-for-vulnerabilities-and-errors %}
{% link_in_list /about-code-scanning %}
{% link_in_list /triaging-code-scanning-alerts-in-pull-requests %}
{% link_in_list /setting-up-code-scanning-for-a-repository %}
{% link_in_list /managing-code-scanning-alerts-for-your-repository %}
{% link_in_list /configuring-code-scanning %}
{% link_in_list /configuring-the-codeql-workflow-for-compiled-languages %}
{% link_in_list /troubleshooting-the-codeql-workflow %}
{% link_in_list /running-codeql-code-scanning-in-a-container %}
{% topic_link_in_list /integrating-with-code-scanning %}
{% link_in_list /about-integration-with-code-scanning %}
{% link_in_list /uploading-a-sarif-file-to-github %}
{% link_in_list /sarif-support-for-code-scanning %}
{% topic_link_in_list /using-codeql-code-scanning-with-your-existing-ci-system %}
{% link_in_list /running-codeql-code-scanning-in-your-ci-system %}
{% link_in_list /configuring-codeql-code-scanning-in-your-ci-system %}
{% link_in_list /troubleshooting-codeql-code-scanning-in-your-ci-system %}

17
content/code-security/secure-coding/integrating-with-code-scanning.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
---
title: Integrating with code scanning
shortTitle: Integration
intro: 'You can integrate third-party code analysis tools with {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_code_scanning %} by uploading data as SARIF files.'
mapTopic: true
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/integrating-with-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---

139
content/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository.md Normal file
Просмотреть файл

@ -0,0 +1,139 @@
---
title: Managing code scanning alerts for your repository
shortTitle: Managing alerts
intro: 'From the security view, you can view, fix, {% if currentVersion == "enterprise-server@2.22" %}or close{% else %}dismiss, or delete{% endif %} alerts for potential vulnerabilities or errors in your project''s code.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have write permission to a repository you can manage {% data variables.product.prodname_code_scanning %} alerts for that repository.'
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
redirect_from:
- /github/managing-security-vulnerabilities/managing-alerts-from-automated-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository
topics:
- security
---
{% data reusables.code-scanning.beta %}
### About alerts from {% data variables.product.prodname_code_scanning %}
You can set up {% data variables.product.prodname_code_scanning %} to check the code in a repository using the default {% data variables.product.prodname_codeql %} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {% data variables.product.company_short %}'s default {% data variables.product.prodname_codeql %} analysis. For more information, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
{% data reusables.code-scanning.upload-sarif-alert-limit %}
### About alerts details
Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the severity and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by {% data variables.product.prodname_codeql %} analysis, you will also see information on how to fix the problem.
![Example alert from {% data variables.product.prodname_code_scanning %}](/assets/images/help/repository/code-scanning-alert.png)
If you set up {% data variables.product.prodname_code_scanning %} using {% data variables.product.prodname_codeql %}, this can also detect data-flow problems in your code. Data-flow analysis finds potential security issues in code, such as: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information.
When {% data variables.product.prodname_code_scanning %} reports data-flow alerts, {% data variables.product.prodname_dotcom %} shows you how data moves through the code. {% data variables.product.prodname_code_scanning_capc %} allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users.
### Viewing the alerts for a repository
Anyone with read permission for a repository can see {% data variables.product.prodname_code_scanning %} annotations on pull requests. For more information, see "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
You need write permission to view a summary of all the alerts for a repository on the **Security** tab. By default, alerts are shown for the default branch.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-code-scanning-alerts %}
1. Under "{% data variables.product.prodname_code_scanning_capc %}," click the alert you'd like to explore.
![Summary of alerts](/assets/images/help/repository/code-scanning-click-alert.png)
1. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used.
![The "Show paths" link on an alert](/assets/images/help/repository/code-scanning-show-paths.png)
1. Alerts from {% data variables.product.prodname_codeql %} analysis include a description of the problem. Click **Show more** for guidance on how to fix your code.
![Details for an alert](/assets/images/help/repository/code-scanning-alert-details.png)
### Fixing an alert
Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning)" and "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
If you have write permission for a repository, you can view fixed alerts by viewing the summary of alerts and clicking **Closed**. For more information, see "[Viewing the alerts for a repository](#viewing-the-alerts-for-a-repository)." The "Closed" list shows fixed alerts and alerts that users have {% if currentVersion == "enterprise-server@2.22" %}closed{% else %}dismissed{% endif %}.
Alerts may be fixed in one branch but not in another. You can use the "Branch" drop-down menu, on the summary of alerts, to check whether an alert is fixed in a particular branch.
![Filtering alerts by branch](/assets/images/help/repository/code-scanning-branch-filter.png)
{% if currentVersion == "enterprise-server@2.22" %}
### Closing an alert
Closing an alert is a way to resolve an alert that you don't think needs to be fixed. {% data reusables.code-scanning.close-alert-examples %}
{% else %}
### Dismissing or deleting alerts
There are two ways of closing an alert. You can fix the problem in the code, or you can dismiss the alert. Alternatively, if you have admin permissions for the repository, you can delete alerts. Deleting alerts is useful in situations where you have set up a {% data variables.product.prodname_code_scanning %} tool and then decided to remove it, or where you have configured {% data variables.product.prodname_codeql %} analysis with a larger set of queries than you want to continue using, and you've then removed some queries from the tool. In both cases, deleting alerts allows you to clean up your {% data variables.product.prodname_code_scanning %} results. You can delete alerts from the summary list within the **Security** tab.
Dismissing an alert is a way of closing an alert that you don't think needs to be fixed. {% data reusables.code-scanning.close-alert-examples %} You can dismiss alerts from {% data variables.product.prodname_code_scanning %} annotations in code, or from the summary list within the **Security** tab.
When you dismiss an alert:
- It's dismissed in all branches.
- The alert is removed from the number of current alerts for your project.
- The alert is moved to the "Closed" list in the summary of alerts, from where you can reopen it, if required.
- The reason why you closed the alert is recorded.
- Next time {% data variables.product.prodname_code_scanning %} runs, the same code won't generate an alert.
When you delete an alert:
- It's deleted in all branches.
- The alert is removed from the number of current alerts for your project.
- It is _not_ added to the "Closed" list in the summary of alerts.
- If the code that generated the alert stays the same, and the same {% data variables.product.prodname_code_scanning %} tool runs again without any configuration changes, the alert will be shown again in your analysis results.
To dismiss or delete alerts:
{% endif %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-code-scanning-alerts %}
{% if currentVersion == "enterprise-server@2.22" %}
{% data reusables.code-scanning.click-alert-in-list %}
1. Select the **Close** drop-down menu and click a reason for closing the alert.
![Choosing reason for closing the alert via the Close drop-down](/assets/images/help/repository/code-scanning-alert-close-drop-down.png)
{% data reusables.code-scanning.false-positive-fix-codeql %}
{% else %}
1. If you have admin permissions for the repository, and you want to delete alerts for this {% data variables.product.prodname_code_scanning %} tool, select some or all of the check boxes and click **Delete**.
![Deleting alerts](/assets/images/help/repository/code-scanning-delete-alerts.png)
Optionally, you can use the filters to display a subset of alerts and then delete all matching alerts at once. For example, if you have removed a query from {% data variables.product.prodname_codeql %} analysis, you can use the "Rule" filter to list just the alerts for that query and then select and delete all of those alerts.
![Filter alerts by rule](/assets/images/help/repository/code-scanning-filter-by-rule.png)
1. If you want to dismiss an alert, it's important to explore the alert first, so that you can choose the correct dismissal reason. Click the alert you'd like to explore.
![Open an alert from the summary list](/assets/images/help/repository/code-scanning-click-alert.png)
1. Review the alert, then click **Dismiss** and choose a reason for closing the alert.
![Choosing a reason for dismissing an alert](/assets/images/help/repository/code-scanning-alert-close-drop-down.png)
{% data reusables.code-scanning.choose-alert-dismissal-reason %}
{% data reusables.code-scanning.false-positive-fix-codeql %}
#### Dismissing multiple alerts at once
If a project has multiple alerts that you want to dismiss for the same reason, you can bulk dismiss them from the summary of alerts. Typically, you'll want to filter the list and then dismiss all of the matching alerts. For example, you might want to dismiss all of the current alerts in the project that have been tagged for a particular Common Weakness Enumeration (CWE) vulnerability.
{% endif %}
### Further reading
- "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)"
- "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)"
- "[About integration with {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/about-integration-with-code-scanning)"

74
content/code-security/secure-coding/running-codeql-code-scanning-in-a-container.md Normal file
Просмотреть файл

@ -0,0 +1,74 @@
---
title: Running CodeQL code scanning in a container
shortTitle: '{% data variables.product.prodname_code_scanning_capc %} in a container'
intro: 'You can run {% data variables.product.prodname_code_scanning %} in a container by ensuring that all processes run in the same container.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-a-container
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
### About {% data variables.product.prodname_code_scanning %} with a containerized build
If you're setting up {% data variables.product.prodname_code_scanning %} for a compiled language, and you're building the code in a containerized environment, the analysis may fail with the error message "No source code was seen during the build." This indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code as it was compiled.
You must run {% data variables.product.prodname_codeql %} in the same container in which you build your code. This applies whether you are using the {% data variables.product.prodname_codeql_runner %}, or {% data variables.product.prodname_actions %}. If you're using the {% data variables.product.prodname_codeql_runner %}, run it in the container where your code builds. For more information about the {% data variables.product.prodname_codeql_runner %}, see "[Running {% data variables.product.prodname_codeql %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system)." If you're using {% data variables.product.prodname_actions %}, configure your workflow to run all the actions in the same container. For more information, see "[Example workflow](#example-workflow)."
### Dependencies
You may have difficulty running {% data variables.product.prodname_code_scanning %} if the container you're using is missing certain dependencies (for example, Git must be installed and added to the PATH variable). If you encounter dependency issues, review the list of software typically included on {% data variables.product.prodname_dotcom %}'s virtual environments. For more information, see the version-specific `readme` files in these locations:
* Linux: https://github.com/actions/virtual-environments/tree/main/images/linux
* macOS: https://github.com/actions/virtual-environments/tree/main/images/macos
* Windows: https://github.com/actions/virtual-environments/tree/main/images/win
### Example workflow
This sample workflow uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis in a containerized environment. The value of `container.image` identifies the container to use. In this example the image is named `codeql-container`, with a tag of `f0f91db`. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontainer)."
``` yaml
name: "{% data variables.product.prodname_codeql %}"
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 0'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [java]
# Specify the container in which actions will run
container:
image: codeql-container:f0f91db
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Initialize {% data variables.product.prodname_codeql %}
uses: github/codeql-action/init@v1
with:
languages: {% raw %}${{ matrix.language }}{% endraw %}
- name: Build
run: |
./configure
make
- name: Perform {% data variables.product.prodname_codeql %} Analysis
uses: github/codeql-action/analyze@v1
```

158
content/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system.md Normal file
Просмотреть файл

@ -0,0 +1,158 @@
---
title: Running CodeQL code scanning in your CI system
shortTitle: Running in your CI
intro: 'You can use the {% data variables.product.prodname_codeql_runner %} to perform {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in a third-party continuous integration system.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system
- /github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
<!--UI-LINK: When GitHub Enterprise Server doesn't have GitHub Actions set up, the Security > Code scanning alerts view links to this article.-->
{% data reusables.code-scanning.beta-codeql-runner %}
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
### Using {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} with your existing CI system
If you use a continuous integration or continuous delivery/deployment (CI/CD) system other than {% data variables.product.prodname_actions %}, you can use your existing system to run {% data variables.product.prodname_dotcom %}'s {% data variables.product.prodname_codeql %} analysis and upload the results to {% data variables.product.prodname_dotcom %}. To do this, use the {% data variables.product.prodname_codeql_runner %}.
### About the {% data variables.product.prodname_codeql_runner %}
{% data reusables.code-scanning.about-code-scanning %} For information, see "[About {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/about-code-scanning)."
You can use the {% data variables.product.prodname_codeql_runner %} to run {% data variables.product.prodname_code_scanning %} on code that you're processing in a third-party continuous integration (CI) system. Alternatively, you can use {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_code_scanning %} on {% data variables.product.product_name %}. For information, see "[Setting up {% data variables.product.prodname_code_scanning %} for a repository](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)."
The {% data variables.product.prodname_codeql_runner %} is a command-line tool that runs {% data variables.product.prodname_codeql %} analysis on a checkout of a {% data variables.product.prodname_dotcom %} repository. You add the runner to your third-party system, then call the runner to analyze code and upload the results to {% data variables.product.product_name %}. These results are displayed as {% data variables.product.prodname_code_scanning %} alerts in the repository.
{% note %}
**Notes:**
{% if currentVersion == "free-pro-team@latest" %}
* The {% data variables.product.prodname_codeql_runner %} uses the {% data variables.product.prodname_codeql %} CLI to analyze code and therefore has the same license conditions. It's free to use on public repositories that are maintained on {% data variables.product.prodname_dotcom_the_website %}, and available to use on private repositories that are owned by customers with an {% data variables.product.prodname_advanced_security %} license. For information, see "[{% data variables.product.product_name %} {% data variables.product.prodname_codeql %} Terms and Conditions](https://securitylab.github.com/tools/codeql/license)" and "[{% data variables.product.prodname_codeql %} CLI](https://codeql.github.com/docs/codeql-cli/)."
{% else %}
* The {% data variables.product.prodname_codeql_runner %} is available to customers with an {% data variables.product.prodname_advanced_security %} license.
{% endif %}
* The {% data variables.product.prodname_codeql_runner %} shouldn't be confused with the {% data variables.product.prodname_codeql %} CLI. The {% data variables.product.prodname_codeql %} CLI is an interactive command-line interface that lets you create {% data variables.product.prodname_codeql %} databases for security research and run {% data variables.product.prodname_codeql %} queries. For more information, see "[{% data variables.product.prodname_codeql %} CLI](https://codeql.github.com/docs/codeql-cli/)."
{% endnote %}
### Downloading the {% data variables.product.prodname_codeql_runner %}
You can download the {% data variables.product.prodname_codeql_runner %} from https://{% if currentVersion == "enterprise-server@2.22" or currentVersion == "free-pro-team@latest" %}github.com{% else %}<em>HOSTNAME</em>{% endif %}/github/codeql-action/releases. On some operating systems, you may need to change permissions for the downloaded file before you can run it.
On Linux:
```shell
chmod +x codeql-runner-linux
```
On macOS:
```shell
chmod +x codeql-runner-macos
sudo xattr -d com.apple.quarantine codeql-runner-macos
```
On Windows, the `codeql-runner-win.exe` file usually requires no change to permissions.
### Adding the {% data variables.product.prodname_codeql_runner %} to your CI system
Once you download the {% data variables.product.prodname_codeql_runner %} and verify that it can be executed, you should make the runner available to each CI server that you intend to use for {% data variables.product.prodname_code_scanning %}. For example, you might configure each server to copy the runner from a central, internal location. Alternatively, you could use the REST API to get the runner directly from {% data variables.product.prodname_dotcom %}, for example:
```shell
wget https://{% if currentVersion == "enterprise-server@2.22" or currentVersion == "free-pro-team@latest" %}github.com{% else %}<em>HOSTNAME</em>{% endif %}/github/codeql-action/releases/latest/download/codeql-runner-linux
chmod +x codeql-runner-linux
```
In addition to this, each CI server also needs:
- A {% data variables.product.prodname_github_app %} or personal access token for the {% data variables.product.prodname_codeql_runner %} to use. You must use an access token with the `repo` scope, or a {% data variables.product.prodname_github_app %} with the `security_events` write permission, and `metadata` and `contents` read permissions. For information, see "[Building {% data variables.product.prodname_github_apps %}](/developers/apps/building-github-apps)" and "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
- Access to the {% data variables.product.prodname_codeql %} bundle associated with this release of the {% data variables.product.prodname_codeql_runner %}. This package contains queries and libraries needed for {% data variables.product.prodname_codeql %} analysis, plus the {% data variables.product.prodname_codeql %} CLI, which is used internally by the runner. For information, see "[{% data variables.product.prodname_codeql %} CLI](https://codeql.github.com/docs/codeql-cli/)."
The options for providing access to the {% data variables.product.prodname_codeql %} bundle are:
1. Allow the CI servers access to https://{% if currentVersion == "enterprise-server@2.22" or currentVersion == "free-pro-team@latest" %}github.com{% else %}<em>HOSTNAME</em>{% endif %}/github/codeql-action so that the {% data variables.product.prodname_codeql_runner %} can download the bundle automatically.
{% if currentVersion == "enterprise-server@2.22" %}
1. Mirror the `github/codeql-action` repository on {% data variables.product.product_name %}. Unless you specify the <nobr>`--codeql-path`</nobr> flag, the runner automatically checks for the bundle in this location and on {% data variables.product.prodname_dotcom_the_website %}.{% endif %}
1. Manually download/extract the bundle, store it with other central resources, and use the <nobr>`--codeql-path`</nobr> flag to specify the location of the bundle in calls to initialize the {% data variables.product.prodname_codeql_runner %}.
### Calling the {% data variables.product.prodname_codeql_runner %}
You should call the {% data variables.product.prodname_codeql_runner %} from the checkout location of the repository you want to analyze. The two main commands are:
1. `init` required to initialize the runner and create a {% data variables.product.prodname_codeql %} database for each language to be analyzed. These databases are populated and analyzed by subsequent commands.
1. `analyze` required to populate the {% data variables.product.prodname_codeql %} databases, analyze them, and upload results to {% data variables.product.product_name %}.
For both commands, you must specify the URL of {% data variables.product.product_name %}, the repository *OWNER/NAME*, and the {% data variables.product.prodname_github_apps %} or personal access token to use for authentication. You also need to specify the location of the CodeQL bundle, unless the CI server has access to download it directly from the `github/codeql-action` repository.
You can configure where the {% data variables.product.prodname_codeql_runner %} stores the CodeQL bundle for future analysis on a server using the <nobr>`--tools-dir`</nobr> flag and where it stores temporary files during analysis using <nobr>`--temp-dir`</nobr>.
To view the command-line reference for the runner, use the `-h` flag. For example, to list all commands run: `codeql-runner-OS -h`, or to list all the flags available for the `init` command run: `codeql-runner-OS init -h` (where `OS` varies according to the executable that you are using). For more information, see "[Configuring {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/configuring-codeql-code-scanning-in-your-ci-system#codeql-runner-command-reference)."
{% data reusables.code-scanning.upload-sarif-alert-limit %}
#### Basic example
This example runs {% data variables.product.prodname_codeql %} analysis on a Linux CI server for the `octo-org/example-repo` repository hosted on `{% data variables.command_line.git_url_example %}`. The process is very simple because the repository contains only languages that can be analyzed by {% data variables.product.prodname_codeql %} directly, without being built (that is, Go, JavaScript, Python, and TypeScript).
In this example, the server has access to download the {% data variables.product.prodname_codeql %} bundle directly from the `github/codeql-action` repository, so there is no need to use the `--codeql-path` flag.
1. Check out the repository to analyze.
1. Move into the directory where the repository is checked out.
1. Initialize the {% data variables.product.prodname_codeql_runner %} and create {% data variables.product.prodname_codeql %} databases for the languages detected.
```shell
$ /path/to-runner/codeql-runner-linux init --repository octo-org/example-repo
--github-url {% data variables.command_line.git_url_example %} --github-auth TOKEN
> Cleaning temp directory /srv/checkout/example-repo/codeql-runner
> ...
> Created CodeQL database at /srv/checkout/example-repo/codeql-runner/codeql_databases/javascript.
```
{% data reusables.code-scanning.codeql-runner-analyze-example %}
#### Compiled language example
This example is similar to the previous example, however this time the repository has code in C/C++, C#, or Java. To create a {% data variables.product.prodname_codeql %} database for these languages, the CLI needs to monitor the build. At the end of the initialization process, the runner reports the command you need to set up the environment before building the code. You need to run this command, before calling the normal CI build process, and then running the `analyze` command.
1. Check out the repository to analyze.
1. Move into the directory where the repository is checked out.
1. Initialize the {% data variables.product.prodname_codeql_runner %} and create {% data variables.product.prodname_codeql %} databases for the languages detected.
```shell
$ /path/to-runner/codeql-runner-linux init --repository octo-org/example-repo-2
--github-url {% data variables.command_line.git_url_example %} --github-auth TOKEN
> Cleaning temp directory /srv/checkout/example-repo-2/codeql-runner
> ...
> CodeQL environment output to "/srv/checkout/example-repo-2/codeql-runner/codeql-env.json"
and "/srv/checkout/example-repo-2/codeql-runner/codeql-env.sh".
Please export these variables to future processes so that CodeQL can monitor the build, for example by running
". /srv/checkout/example-repo-2/codeql-runner/codeql-env.sh".
```
1. Source the script generated by the `init` action to set up the environment to monitor the build. Note the leading dot and space in the following code snippet.
```shell
$ . /srv/checkout/example-repo-2/codeql-runner/codeql-env.sh
```
1. Build the code. On macOS, you need to prefix the build command with the environment variable `$CODEQL_RUNNER`. For more information, see "[Troubleshooting CodeQL code scanning in your CI system](/code-security/secure-coding/troubleshooting-codeql-code-scanning-in-your-ci-system#no-code-found-during-the-build)."
{% data reusables.code-scanning.codeql-runner-analyze-example %}
{% note %}
**Note:** If you use a containerized build, you need to run the {% data variables.product.prodname_codeql_runner %} in the container where your build task takes place.
{% endnote %}
### Further reading
- "[Configuring {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/configuring-codeql-code-scanning-in-your-ci-system)"
- "[Troubleshooting {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/troubleshooting-codeql-code-scanning-in-your-ci-system)"

432
content/code-security/secure-coding/sarif-support-for-code-scanning.md Normal file
Просмотреть файл

@ -0,0 +1,432 @@
---
title: SARIF support for code scanning
shortTitle: SARIF support
intro: 'To display results from a third-party static analysis tool in your repository on {% data variables.product.prodname_dotcom %}, you''ll need your results stored in a SARIF file that supports a specific subset of the SARIF 2.1.0 JSON schema for {% data variables.product.prodname_code_scanning %}. If you use the default {% data variables.product.prodname_codeql %} static analysis engine, then your results will display in your repository on {% data variables.product.prodname_dotcom %} automatically.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/about-sarif-support-for-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
### About SARIF support
SARIF (Static Analysis Results Interchange Format) is an [OASIS Standard](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) that defines an output file format. The SARIF standard is used to streamline how static analysis tools share their results. {% data variables.product.prodname_code_scanning_capc %} supports a subset of the SARIF 2.1.0 JSON schema.
To upload a SARIF file from a third-party static code analysis engine, you'll need to ensure that uploaded files use the SARIF 2.1.0 version. {% data variables.product.prodname_dotcom %} will parse the SARIF file and show alerts using the results in your repository as a part of the {% data variables.product.prodname_code_scanning %} experience. For more information, see "[Uploading a SARIF file to {% data variables.product.prodname_dotcom %}](/code-security/secure-coding/uploading-a-sarif-file-to-github)." For more information about the SARIF 2.1.0 JSON schema, see [`sarif-schema-2.1.0.json`](https://github.com/oasis-tcs/sarif-spec/blob/master/Schemata/sarif-schema-2.1.0.json).
If you're using {% data variables.product.prodname_actions %} with the {% data variables.product.prodname_codeql_workflow %} or using the {% data variables.product.prodname_codeql_runner %}, then the {% data variables.product.prodname_code_scanning %} results will automatically use the supported subset of SARIF 2.1.0. For more information, see "[Enabling {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/setting-up-code-scanning-for-a-repository)" or "[Running {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system)."
{% data variables.product.prodname_dotcom %} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {% data variables.product.prodname_code_scanning %} alert. The `location` allows {% data variables.product.prodname_dotcom %} to show annotations in your code file. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
If you're new to SARIF and want to learn more, see Microsoft's [`SARIF tutorials`](https://github.com/microsoft/sarif-tutorials) repository.
### Preventing duplicate alerts using fingerprints
Each time the results of a new code scan are uploaded, the results are processed and alerts are added to the repository. To prevent duplicate alerts for the same problem, {% data variables.product.prodname_code_scanning %} uses fingerprints to match results across various runs so they only appear once in the latest run for the selected branch. This makes it possible to match alerts to the right line of code when files are edited.
{% data variables.product.prodname_dotcom %} uses the `partialFingerprints` property in the OASIS standard to detect when two results are logically identical. For more information, see the "[partialFingerprints property](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012611)" entry in the OASIS documentation.
SARIF files created by the {% data variables.product.prodname_codeql_workflow %} or using the {% data variables.product.prodname_codeql_runner %} include fingerprint data. If you upload a SARIF file using the `upload-sarif` action and this data is missing, {% data variables.product.prodname_dotcom %} attempts to populate the `partialFingerprints` field from the source files. For more information about uploading results, see "[Uploading a SARIF file to {% data variables.product.prodname_dotcom %}](/code-security/secure-coding/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions)."
If you upload a SARIF file without fingerprint data using the `/code-scanning/sarifs` API endpoint, the {% data variables.product.prodname_code_scanning %} alerts will be processed and displayed, but users may see duplicate alerts. To avoid seeing duplicate alerts, you should calculate fingerprint data and populate the `partialFingerprints` property before you upload the SARIF file. You may find the script that the `upload-sarif` action uses a helpful starting point: https://github.com/github/codeql-action/blob/main/src/fingerprints.ts. For more information about the API, see "[Upload an analysis as SARIF data](/rest/reference/code-scanning#upload-an-analysis-as-sarif-data)."
### Validating your SARIF file
<!--UI-LINK: When code scanning fails, the error banner shown in the Security > Code scanning alerts view links to this anchor.-->
You can check a SARIF file is compatible with {% data variables.product.prodname_code_scanning %} by testing it against the {% data variables.product.prodname_dotcom %} ingestion rules. For more information, visit the [Microsoft SARIF validator](https://sarifweb.azurewebsites.net/).
{% data reusables.code-scanning.upload-sarif-alert-limit %}
### Supported SARIF output file properties
If you use a code analysis engine other than {% data variables.product.prodname_codeql %}, you can review the supported SARIF properties to optimize how your analysis results will appear on {% data variables.product.prodname_dotcom %}.
Any valid SARIF 2.1.0 output file can be uploaded, however, {% data variables.product.prodname_code_scanning %} will only use the following supported properties.
#### `sarifLog` object
| Name | Description |
|----|----|
| `$schema` | **Required.** The URI of the SARIF JSON schema for version 2.1.0. For example, `https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json`. |
| `version` | **Required.** {% data variables.product.prodname_code_scanning_capc %} only supports SARIF version `2.1.0`.
| `runs[]` | **Required.** A SARIF file contains an array of one or more runs. Each run represents a single run of an analysis tool. For more information about a `run`, see the [`run` object](#run-object).
#### `run` object
{% data variables.product.prodname_code_scanning_capc %} uses the `run` object to filter results by tool and provide information about the source of a result. The `run` object contains the `tool.driver` tool component object, which contains information about the tool that generated the results. Each `run` can only have results for one analysis tool.
| Name | Description |
|----|----|
| `tool.driver.name` | **Required.** The name of the analysis tool. {% data variables.product.prodname_code_scanning_capc %} displays the name on {% data variables.product.prodname_dotcom %} to allow you to filter results by tool. |
| `tool.driver.version` | **Optional.** The version of the analysis tool. {% data variables.product.prodname_code_scanning_capc %} uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by {% data variables.product.prodname_code_scanning %}. |
| `tool.driver.semanticVersion` | **Optional.** The version of the analysis tool, specified by the Semantic Versioning 2.0 format. {% data variables.product.prodname_code_scanning_capc %} uses the version number to track when results may have changed due to a tool version change rather than a change in the code being analyzed. If the SARIF file includes the `semanticVersion` field, `version` is not used by {% data variables.product.prodname_code_scanning %}. For more information, see "[Semantic Versioning 2.0.0](https://semver.org/)" in the Semantic Versioning documentation. |
| `tool.driver.rules[]` | **Required.** An array of `reportingDescriptor` objects that represent rules. The analysis tool uses rules to find problems in the code being analyzed. For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object). |
| `results[]` | **Required.** The results of the analysis tool. {% data variables.product.prodname_code_scanning_capc %} displays the results on {% data variables.product.prodname_dotcom %}. For more information, see the [`result` object](#result-object).
#### `reportingDescriptor` object
| Name | Description |
|----|----|
| `id` | **Required.** A unique identifier for the rule. The `id` is referenced from other parts of the SARIF file and may be used by {% data variables.product.prodname_code_scanning %} to display URLs on {% data variables.product.prodname_dotcom %}. |
| `name` | **Optional.** The name of the rule. {% data variables.product.prodname_code_scanning_capc %} displays the name to allow results to be filtered by rule on {% data variables.product.prodname_dotcom %}. |
| `shortDescription.text` | **Required.** A concise description of the rule. {% data variables.product.prodname_code_scanning_capc %} displays the short description on {% data variables.product.prodname_dotcom %} next to the associated results.
| `fullDescription.text` | **Required.** A description of the rule. {% data variables.product.prodname_code_scanning_capc %} displays the full description on {% data variables.product.prodname_dotcom %} next to the associated results. The max number of characters is limited to 1000.
| `defaultConfiguration.level` | **Optional.** Default severity level of the rule. {% data variables.product.prodname_code_scanning_capc %} uses severity levels to help you understand how critical the result is for a given rule. This value can be overridden by the `level` attribute in the `result` object. For more information, see the [`result` object](#result-object). Default: `warning`.
| `help.text` | **Required.** Documentation for the rule using text format. {% data variables.product.prodname_code_scanning_capc %} displays this help documentation next to the associated results.
| `help.markdown` | **Recommended.** Documentation for the rule using Markdown format. {% data variables.product.prodname_code_scanning_capc %} displays this help documentation next to the associated results. When `help.markdown` is available, it is displayed instead of `help.text`.
| `properties.tags[]` | **Optional.** An array of strings. {% data variables.product.prodname_code_scanning_capc %} uses `tags` to allow you to filter results on {% data variables.product.prodname_dotcom %}. For example, it is possible to filter to all results that have the tag `security`.
| `properties.precision` | **Recommended.** A string that indicates how often the results indicated by this rule are true. For example, if a rule has a known high false-positive rate, the precision should be `low`. {% data variables.product.prodname_code_scanning_capc %} orders results by precision on {% data variables.product.prodname_dotcom %} so that the results with the highest `level`, and highest `precision` are shown first. Can be one of: `very-high`, `high`, `medium`, or `low`.
#### `result` object
{% data reusables.code-scanning.upload-sarif-alert-limit %}
| Name | Description |
|----|----|
| `ruleId`| **Optional.** The unique identifier of the rule (`reportingDescriptor.id`). For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object). {% data variables.product.prodname_code_scanning_capc %} uses the rule identifier to filter results by rule on {% data variables.product.prodname_dotcom %}.
| `ruleIndex`| **Optional.** The index of the associated rule (`reportingDescriptor` object) in the tool component `rules` array. For more information, see the [`run` object](#run-object).
| `rule`| **Optional.** A reference used to locate the rule (reporting descriptor) for this result. For more information, see the [`reportingDescriptor` object](#reportingdescriptor-object).
| `level`| **Optional.** The severity of the result. This level overrides the default severity defined by the rule. {% data variables.product.prodname_code_scanning_capc %} uses the level to filter results by severity on {% data variables.product.prodname_dotcom %}.
| `message.text`| **Required.** A message that describes the result. {% data variables.product.prodname_code_scanning_capc %} displays the message text as the title of the result. Only the first sentence of the message will be displayed when visible space is limited.
| `locations[]`| **Required.** The set of locations where the result was detected up to a maximum of 10. Only one location should be included unless the problem can only be corrected by making a change at every specified location. **Note:** At least one location is required for {% data variables.product.prodname_code_scanning %} to display a result. {% data variables.product.prodname_code_scanning_capc %} will use this property to decide which file to annotate with the result. Only the first value of this array is used. All other values are ignored.
| `partialFingerprints`| **Required.** A set of strings used to track the unique identity of the result. {% data variables.product.prodname_code_scanning_capc %} uses `partialFingerprints` to accurately identify which results are the same across commits and branches. {% data variables.product.prodname_code_scanning_capc %} will attempt to use `partialFingerprints` if they exist. If you are uploading third-party SARIF files with the `upload-action`, the action will create `partialFingerprints` for you when they are not included in the SARIF file. For more information, see "[Preventing duplicate alerts using fingerprints](#preventing-duplicate-alerts-using-fingerprints)." **Note:** {% data variables.product.prodname_code_scanning_capc %} only uses the `primaryLocationLineHash`.
| `codeFlows[].threadFlows[].locations[]`| **Optional.** An array of `location` objects for a `threadFlow` object, which describes the progress of a program through a thread of execution. A `codeFlow` object describes a pattern of code execution used to detect a result. If code flows are provided, {% data variables.product.prodname_code_scanning %} will expand code flows on {% data variables.product.prodname_dotcom %} for the relevant result. For more information, see the [`location` object](#location-object).
| `relatedLocations[]`| A set of locations relevant to this result. {% data variables.product.prodname_code_scanning_capc %} will link to related locations when they are embedded in the result message. For more information, see the [`location` object](#location-object).
#### `location` object
A location within a programming artifact, such as a file in the repository or a file that was generated during a build.
| Name | Description |
|----|----|
| `location.id` | **Optional.** A unique identifier that distinguishes this location from all other locations within a single result object.
| `location.physicalLocation` | **Required.** Identifies the artifact and region. For more information, see the [`physicalLocation`](#physicallocation-object).
| `location.message.text` | **Optional.** A message relevant to the location.
#### `physicalLocation` object
| Name | Description |
|----|----|
| `artifactLocation.uri`| **Required.** A URI indicating the location of an artifact, usually a file either in the repository or generated during a build. If the URI is relative, it should be relative to the root of the {% data variables.product.prodname_dotcom %} repository being analyzed. For example, main.js or src/script.js are relative to the root of the repository. If the URI is absolute, {% data variables.product.prodname_code_scanning %} can use the URI to checkout the artifact and match up files in the repository. For example, `https://github.com/ghost/example/blob/00/src/promiseUtils.js`.
| `region.startLine` | **Required.** The line number of the first character in the region.
| `region.startColumn` | **Required.** The column number of the first character in the region.
| `region.endLine` | **Required.** The line number of the last character in the region.
| `region.endColumn` | **Required.** The column number of the character following the end of the region.
### SARIF output file examples
These example SARIF output files show supported properties and example values.
#### Example with minimum required properties
This SARIF output file has example values to show the minimum required properties for {% data variables.product.prodname_code_scanning %} results to work as expected. If you remove any properties or don't include values, this data will not be displayed correctly or sync on {% data variables.product.prodname_dotcom %}.
```json
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Tool Name",
"rules": [
{
"id": "R01"
}
]
}
},
"results": [
{
"ruleId": "R01",
"message": {
"text": "Result text. This result does not have a rule associated."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "fileURI"
},
"region": {
"startLine": 2,
"startColumn": 7,
"endColumn": 10
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "39fa2ee980eb94b0:1"
}
}
]
}
]
}
```
#### Example showing all supported SARIF properties
This SARIF output file has example values to show all supported SARIF properties for {% data variables.product.prodname_code_scanning %}.
```json
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Tool Name",
"semanticVersion": "2.0.0",
"rules": [
{
"id": "3f292041e51d22005ce48f39df3585d44ce1b0ad",
"name": "js/unused-local-variable",
"shortDescription": {
"text": "Unused variable, import, function or class"
},
"fullDescription": {
"text": "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"maintainability"
],
"precision": "very-high"
}
},
{
"id": "d5b664aefd5ca4b21b52fdc1d744d7d6ab6886d0",
"name": "js/inconsistent-use-of-new",
"shortDescription": {
"text": "Inconsistent use of 'new'"
},
"fullDescription": {
"text": "If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'."
},
"properties": {
"tags": [
"reliability",
"correctness",
"language-features"
],
"precision": "very-high"
}
},
{
"id": "R01"
}
]
}
},
"results": [
{
"ruleId": "3f292041e51d22005ce48f39df3585d44ce1b0ad",
"ruleIndex": 0,
"message": {
"text": "Unused variable foo."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.js",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 2,
"startColumn": 7,
"endColumn": 10
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "39fa2ee980eb94b0:1",
"primaryLocationStartColumnFingerprint": "4"
}
},
{
"ruleId": "d5b664aefd5ca4b21b52fdc1d744d7d6ab6886d0",
"ruleIndex": 1,
"message": {
"text": "Function resolvingPromise is sometimes invoked as a constructor (for example [here](1)), and sometimes as a normal function (for example [here](2))."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/promises.js",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 2
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "5061c3315a741b7d:1",
"primaryLocationStartColumnFingerprint": "7"
},
"relatedLocations": [
{
"id": 1,
"physicalLocation": {
"artifactLocation": {
"uri": "src/ParseObject.js",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 2281,
"startColumn": 33,
"endColumn": 55
}
},
"message": {
"text": "here"
}
},
{
"id": 2,
"physicalLocation": {
"artifactLocation": {
"uri": "src/LiveQueryClient.js",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 166
}
},
"message": {
"text": "here"
}
}
]
},
{
"ruleId": "R01",
"message": {
"text": "Specifying both [ruleIndex](1) and [ruleID](2) might lead to inconsistencies."
},
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "full.sarif",
"uriBaseId": "%SRCROOT%"
},
"region": {
"startLine": 54,
"startColumn": 10,
"endLine": 55,
"endColumn": 25
}
}
}
],
"relatedLocations": [
{
"id": 1,
"physicalLocation": {
"artifactLocation": {
"uri": "full.sarif"
},
"region": {
"startLine": 81,
"startColumn": 10,
"endColumn": 18
}
},
"message": {
"text": "here"
}
},
{
"id": 2,
"physicalLocation": {
"artifactLocation": {
"uri": "full.sarif"
},
"region": {
"startLine": 82,
"startColumn": 10,
"endColumn": 21
}
},
"message": {
"text": "here"
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"location": {
"physicalLocation": {
"region": {
"startLine": 11,
"endLine": 29,
"startColumn": 10,
"endColumn": 18
},
"artifactLocation": {
"uriBaseId": "%SRCROOT%",
"uri": "full.sarif"
}
},
"message": {
"text": "Rule has index 0"
}
}
},
{
"location": {
"physicalLocation": {
"region": {
"endColumn": 47,
"startColumn": 12,
"startLine": 12
},
"artifactLocation": {
"uriBaseId": "%SRCROOT%",
"uri": "full.sarif"
}
}
}
}
]
}
]
}
],
"partialFingerprints": {
"primaryLocationLineHash": "ABC:2"
}
}
],
"columnKind": "utf16CodeUnits"
}
]
}
```

125
content/code-security/secure-coding/setting-up-code-scanning-for-a-repository.md Normal file
Просмотреть файл

@ -0,0 +1,125 @@
---
title: Setting up code scanning for a repository
shortTitle: Setting up code scanning
intro: 'You can set up {% data variables.product.prodname_code_scanning %} by adding a workflow to your repository.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have write permissions to a repository, you can set up or configure {% data variables.product.prodname_code_scanning %} for that repository.'
redirect_from:
- /github/managing-security-vulnerabilities/configuring-automated-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository
- /github/finding-security-vulnerabilities-and-errors-in-your-code/setting-up-code-scanning-for-a-repository
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning-actions %}
### Options for setting up {% data variables.product.prodname_code_scanning %}
You decide how to generate {% data variables.product.prodname_code_scanning %} alerts, and which tools to use, at a repository level. {% data variables.product.product_name %} provides fully integrated support for {% data variables.product.prodname_codeql %} analysis, and also supports analysis using third-party tools. For more information, see "[About {% data variables.product.prodname_codeql %}](/code-security/secure-coding/about-code-scanning#about-codeql)."
{% data reusables.code-scanning.enabling-options %}
### Setting up {% data variables.product.prodname_code_scanning %} using actions
{% if currentVersion == "free-pro-team@latest" %}Using actions to run {% data variables.product.prodname_code_scanning %} will use minutes. For more information, see "[About billing for {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-actions)."{% endif %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
3. To the right of "{% data variables.product.prodname_code_scanning_capc %} alerts", click **Set up {% data variables.product.prodname_code_scanning %}**. {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}If {% data variables.product.prodname_code_scanning %} is missing, you need to ask an organization owner or repository administrator to enable {% data variables.product.prodname_GH_advanced_security %}. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)" or "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)."{% endif %}
!["Set up {% data variables.product.prodname_code_scanning %}" button to the right of "{% data variables.product.prodname_code_scanning_capc %}" in the Security Overview](/assets/images/help/security/overview-set-up-code-scanning.png)
4. Under "Get started with {% data variables.product.prodname_code_scanning %}", click **Set up this workflow** on the {% data variables.product.prodname_codeql_workflow %} or on a third-party workflow.
!["Set up this workflow" button under "Get started with {% data variables.product.prodname_code_scanning %}" heading](/assets/images/help/repository/code-scanning-set-up-this-workflow.png){% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}Workflows are only displayed if they are relevant for the programming languages detected in the repository. The {% data variables.product.prodname_codeql_workflow %} is always displayed, but the "Set up this workflow" button is only enabled if {% data variables.product.prodname_codeql %} analysis supports the languages present in the repository.{% endif %}
5. To customize how {% data variables.product.prodname_code_scanning %} scans your code, edit the workflow.
Generally you can commit the {% data variables.product.prodname_codeql_workflow %} without making any changes to it. However, many of the third-party workflows require additional configuration, so read the comments in the workflow before committing.
For more information, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning)."
6. Use the **Start commit** drop-down, and type a commit message.
![Start commit](/assets/images/help/repository/start-commit-commit-new-file.png)
7. Choose whether you'd like to commit directly to the default branch, or create a new branch and start a pull request.
![Choose where to commit](/assets/images/help/repository/start-commit-choose-where-to-commit.png)
8. Click **Commit new file** or **Propose new file**.
In the default {% data variables.product.prodname_codeql_workflow %}, {% data variables.product.prodname_code_scanning %} is configured to analyze your code each time you either push a change to the default branch or any protected branches, or raise a pull request against the default branch. As a result, {% data variables.product.prodname_code_scanning %} will now commence.
### Bulk set up of {% data variables.product.prodname_code_scanning %}
You can set up {% data variables.product.prodname_code_scanning %} in many repositories at once using a script. For an example of a script that raises pull requests to add a {% data variables.product.prodname_actions %} workflow to multiple repositories, see the [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository.
### Viewing the logging output from {% data variables.product.prodname_code_scanning %}
After setting up {% data variables.product.prodname_code_scanning %} for your repository, you can watch the output of the actions as they run.
{% data reusables.repositories.actions-tab %}
You'll see a list that includes an entry for running the {% data variables.product.prodname_code_scanning %} workflow. The text of the entry is the title you gave your commit message.
![Actions list showing {% data variables.product.prodname_code_scanning %} workflow](/assets/images/help/repository/code-scanning-actions-list.png)
1. Click the entry for the {% data variables.product.prodname_code_scanning %} workflow.
1. Click the job name on the left. For example, **Analyze (LANGUAGE)**.
![Log output from the {% data variables.product.prodname_code_scanning %} workflow](/assets/images/help/repository/code-scanning-logging-analyze-action.png)
1. Review the logging output from the actions in this workflow as they run.
1. Once all jobs are complete, you can view the details of any {% data variables.product.prodname_code_scanning %} alerts that were identified. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."
{% note %}
**Note:** If you raised a pull request to add the {% data variables.product.prodname_code_scanning %} workflow to the repository, alerts from that pull request aren't displayed directly on the {% data variables.product.prodname_code_scanning_capc %} page until the pull request is merged. If any alerts were found you can view these, before the pull request is merged, by clicking the **_n_ alerts found** link in the banner on the {% data variables.product.prodname_code_scanning_capc %} page.
![Click the "n alerts found" link](/assets/images/help/repository/code-scanning-alerts-found-link.png)
{% endnote %}
### Understanding the pull request checks
Each {% data variables.product.prodname_code_scanning %} workflow you set to run on pull requests always has at least two entries listed in the checks section of a pull request. There is one entry for each of the analysis jobs in the workflow, and a final one for the results of the analysis.
The names of the {% data variables.product.prodname_code_scanning %} analysis checks take the form: "TOOL NAME / JOB NAME (TRIGGER)." For example, for {% data variables.product.prodname_codeql %}, analysis of C++ code has the entry "{% data variables.product.prodname_codeql %} / Analyze (cpp) (pull_request)." You can click **Details** on a {% data variables.product.prodname_code_scanning %} analysis entry to see logging data. This allows you to debug a problem if the analysis job failed. For example, for {% data variables.product.prodname_code_scanning %} analysis of compiled languages, this can happen if the action can't build the code.
![{% data variables.product.prodname_code_scanning %} pull request checks](/assets/images/help/repository/code-scanning-pr-checks.png)
When the {% data variables.product.prodname_code_scanning %} jobs complete, {% data variables.product.prodname_dotcom %} works out whether any alerts were added by the pull request and adds the "{% data variables.product.prodname_code_scanning_capc %} results / TOOL NAME" entry to the list of checks. After {% data variables.product.prodname_code_scanning %} has been performed at least once, you can click **Details** to view the results of the analysis. If you used a pull request to add {% data variables.product.prodname_code_scanning %} to the repository, you will initially see a "Missing analysis" message when you click **Details** on the "{% data variables.product.prodname_code_scanning_capc %} results / TOOL NAME" check.
![Missing analysis for commit message](/assets/images/help/repository/code-scanning-missing-analysis.png)
#### Reasons for the "missing analysis" message
After {% data variables.product.prodname_code_scanning %} has analyzed the code in a pull request, it needs to compare the analysis of the topic branch (the branch you used to create the pull request) with the analysis of the base branch (the branch into which you want to merge the pull request). This allows {% data variables.product.prodname_code_scanning %} to compute which alerts are newly introduced by the pull request, which alerts were already present in the base branch, and whether any existing alerts are fixed by the changes in the pull request. Initially, if you use a pull request to add {% data variables.product.prodname_code_scanning %} to a repository, the base branch has not yet been analyzed, so it's not possible to compute these details. In this case, when you click through from the results check on the pull request you will see the "Missing analysis for base commit SHA-HASH" message.
There are other situations where there may be no analysis for the latest commit to the base branch for a pull request. These include:
* The pull request has been raised against a branch other than the default branch, and this branch hasn't been analyzed.
To check whether a branch has been scanned, go to the {% data variables.product.prodname_code_scanning_capc %} page, click the **Branch** drop-down and select the relevant branch.
![Choose a branch from the Branch drop-down menu](/assets/images/help/repository/code-scanning-branch-dropdown.png)
The solution in this situation is to add the name of the base branch to the `on:push` and `on:pull_request` specification in the {% data variables.product.prodname_code_scanning %} workflow on that branch and then make a change that updates the open pull request that you want to scan.
* The latest commit on the base branch for the pull request is currently being analyzed and analysis is not yet available.
Wait a few minutes and then push a change to the pull request to retrigger {% data variables.product.prodname_code_scanning %}.
* An error occurred while analyzing the latest commit on the base branch and analysis for that commit isn't available.
Merge a trivial change into the base branch to trigger {% data variables.product.prodname_code_scanning %} on this latest commit, then push a change to the pull request to retrigger {% data variables.product.prodname_code_scanning %}.
### Next steps
After setting up {% data variables.product.prodname_code_scanning %}, and allowing its actions to complete, you can:
- View all of the {% data variables.product.prodname_code_scanning %} alerts generated for this repository. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
- View any alerts generated for a pull request submitted after you set up {% data variables.product.prodname_code_scanning %}. For more information, see "[Triaging {% data variables.product.prodname_code_scanning %} alerts in pull requests](/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests)."
- Set up notifications for completed runs. For more information, see "[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#github-actions-notification-options)."
- Investigate any problems that occur with the initial setup of {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. For more information, see "[Troubleshooting the {% data variables.product.prodname_codeql %} workflow](/code-security/secure-coding/troubleshooting-the-codeql-workflow)."
- Customize how {% data variables.product.prodname_code_scanning %} scans the code in your repository. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning)."

71
content/code-security/secure-coding/triaging-code-scanning-alerts-in-pull-requests.md Normal file
Просмотреть файл

@ -0,0 +1,71 @@
---
title: Triaging code scanning alerts in pull requests
shortTitle: Triaging alerts in pull requests
intro: 'When {% data variables.product.prodname_code_scanning %} identifies a problem in a pull request, you can review the highlighted code and resolve the alert.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have read permission for a repository, you can see annotations on pull requests. With write permission, you can see detailed information and resolve {% data variables.product.prodname_code_scanning %} alerts for that repository.'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
### About {% data variables.product.prodname_code_scanning %} results on pull requests
In repositories where {% data variables.product.prodname_code_scanning %} is configured as a pull request check, {% data variables.product.prodname_code_scanning %} checks the code in the pull request. By default, this is limited to pull requests that target the default branch, but you can change this configuration within {% data variables.product.prodname_actions %} or in a third-party CI/CD system. If merging the changes would introduce new {% data variables.product.prodname_code_scanning %} alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the **Files changed** tab of the pull request. If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
If {% data variables.product.prodname_code_scanning %} has any results with a severity of `error`, the check fails and the error is reported in the check results. If all the results found by {% data variables.product.prodname_code_scanning %} have lower severities, the alerts are treated as warnings or notices and the check succeeds. If your pull request targets a protected branch that uses {% data variables.product.prodname_code_scanning %}, and the repository owner has configured required status checks, then you must either fix or {% if currentVersion == "enterprise-server@2.22" %}close{% else %}dismiss{% endif %} all error alerts before the pull request can be merged. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-status-checks-before-merging)."
![Failed {% data variables.product.prodname_code_scanning %} check on a pull request](/assets/images/help/repository/code-scanning-check-failure.png)
### About {% data variables.product.prodname_code_scanning %} as a pull request check
There are many options for configuring {% data variables.product.prodname_code_scanning %} as a pull request check, so the exact setup of each repository will vary and some will have more than one check. The check that contains the results of {% data variables.product.prodname_code_scanning %} is: **Code scanning results**.
If the repository uses the {% data variables.product.prodname_codeql_workflow %} a **{% data variables.product.prodname_codeql %} / Analyze (LANGUAGE)** check is run for each language before the results check runs. The analysis check may fail if there are configuration problems, or if the pull request breaks the build for a language that the analysis needs to compile (for example, C/C++, C#, or Java). As with other pull request checks, you can see full details of the check failure on the **Checks** tab. For more information about configuring and troubleshooting, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning)" or "[Troubleshooting {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/troubleshooting-the-codeql-workflow)."
### Triaging an alert on your pull request
When you look at the **Files changed** tab for a pull request, you see annotations for any lines of code that triggered the alert.
![Alert annotation within a pull request diff](/assets/images/help/repository/code-scanning-pr-annotation.png)
If you have write permission for the repository, some annotations contain links with extra context for the alert. In the example above, from {% data variables.product.prodname_codeql %} analysis, you can click **user-provided value** to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can also view the full path from the source to the code that uses the data (the sink) by clicking **Show paths**. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using {% data variables.product.prodname_codeql %}, see "[About data flow analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)."
To see more information about an alert, users with write permission can click the **Show more details** link shown in the annotation. This allows you to see all of the context and metadata provided by the tool in an alert view. In the example below, you can see tags showing the severity, type, and relevant common weakness enumerations (CWEs) for the problem. The view also shows which commit introduced the problem.
In the detailed view for an alert, some {% data variables.product.prodname_code_scanning %} tools, like {% data variables.product.prodname_codeql %} analysis, also include a description of the problem and a **Show more** link for guidance on how to fix your code.
![Alert description and link to show more information](/assets/images/help/repository/code-scanning-pr-alert.png)
### {% if currentVersion == "enterprise-server@2.22" %}Resolving{% else %}Fixing{% endif %} an alert on your pull request
Anyone with push access to a pull request can fix a {% data variables.product.prodname_code_scanning %} alert that's identified on that pull request. If you commit changes to the pull request this triggers a new run of the pull request checks. If your changes fix the problem, the alert is closed and the annotation removed.
{% if currentVersion == "enterprise-server@2.22" %}
If you don't think that an alert needs to be fixed, users with write permission can close the alert manually. {% data reusables.code-scanning.close-alert-examples %} The **Close** button is available in annotations and in the alerts view if you have write permission for the repository.
{% data reusables.code-scanning.false-positive-fix-codeql %}
{% else %}
### Dismissing an alert on your pull request
An alternative way of closing an alert is to dismiss it. You can dismiss an alert if you don't think it needs to be fixed. {% data reusables.code-scanning.close-alert-examples %} If you have write permission for the repository, the **Dismiss** button is available in code annotations and in the alerts summary. When you click **Dismiss** you will be prompted to choose a reason for closing the alert.
![Choosing a reason for dismissing an alert](/assets/images/help/repository/code-scanning-alert-close-drop-down.png)
{% data reusables.code-scanning.choose-alert-dismissal-reason %}
{% data reusables.code-scanning.false-positive-fix-codeql %}
For more information about dismissing alerts, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository#dismissing-or-deleting-alerts)."
{% endif %}

61
content/code-security/secure-coding/troubleshooting-codeql-code-scanning-in-your-ci-system.md Normal file
Просмотреть файл

@ -0,0 +1,61 @@
---
title: Troubleshooting CodeQL code scanning in your CI system
shortTitle: Troubleshooting in your CI
intro: 'If you''re having problems with the {% data variables.product.prodname_codeql_runner %}, you can troubleshoot by using these tips.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning-in-your-ci-system
- /github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-codeql-code-scanning-in-your-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta-codeql-runner %}
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.not-available %}
### The `init` command takes too long
Before the {% data variables.product.prodname_codeql_runner %} can build and analyze code, it needs access to the {% data variables.product.prodname_codeql %} bundle, which contains the {% data variables.product.prodname_codeql %} CLI and the {% data variables.product.prodname_codeql %} libraries.
When you use the {% data variables.product.prodname_codeql_runner %} for the first time on your machine, the `init` command downloads the {% data variables.product.prodname_codeql %} bundle to your machine. This download can take a few minutes.
The {% data variables.product.prodname_codeql %} bundle is cached between runs, so if you use the {% data variables.product.prodname_codeql_runner %} again on the same machine, it won't download the {% data variables.product.prodname_codeql %} bundle again.
To avoid this automatic download, you can manually download the {% data variables.product.prodname_codeql %} bundle to your machine and specify the path using the `--codeql-path` flag of the `init` command.
### No code found during the build
If the `analyze` command for the {% data variables.product.prodname_codeql_runner %} fails with an error `No source code was seen during the build`, this indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code. Several reasons can explain such a failure.
1. Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a `.h`, or `.gyp` file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by using the `--languages` flag of the `init` command. For more information, see "[Configuring {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/configuring-codeql-code-scanning-in-your-ci-system)."
1. You're analyzing a compiled language without using the `autobuild` command and you run the build steps yourself after the `init` step. For the build to work, you must set up the environment such that the {% data variables.product.prodname_codeql_runner %} can monitor the code. The `init` command generates instructions for how to export the required environment variables, so you can copy and run the script after you've run the `init` command.
- On macOS and Linux:
```shell
$ . codeql-runner/codeql-env.sh
```
- On Windows, using the Command shell (`cmd`) or a batch file (`.bat`):
```shell
> call codeql-runner\codeql-env.bat
```
- On Windows, using PowerShell:
```shell
> cat codeql-runner\codeql-env.sh | Invoke-Expression
```
The environment variables are also stored in the file `codeql-runner/codeql-env.json`. This file contains a single JSON object which maps environment variable keys to values. If you can't run the script generated by the `init` command, then you can use the data in JSON format instead.
{% note %}
**Note:** If you used the `--temp-dir` flag of the `init` command to specify a custom directory for temporary files, the path to the `codeql-env` files might be different.
{% endnote %}
1. You're analyzing a compiled language on macOS without using the `autobuild` command and you run the build steps yourself after the `init` step. If SIP (System Integrity Protection) is enabled, which is the default on recent versions of OSX, analysis might fail. To fix this, prefix the build command with the `$CODEQL_RUNNER` environment variable.
For example, if your build command is `cmd arg1 arg2`, you should run `$CODEQL_RUNNER cmd arg1 arg2`.
1. The code is built in a container or on a separate machine. If you use a containerized build or if you outsource the build to another machine, make sure to run the {% data variables.product.prodname_codeql_runner %} in the container or on the machine where your build task takes place. For more information, see "[Running CodeQL code scanning in a container](/code-security/secure-coding/running-codeql-code-scanning-in-a-container)."

178
content/code-security/secure-coding/troubleshooting-the-codeql-workflow.md Normal file
Просмотреть файл

@ -0,0 +1,178 @@
---
title: Troubleshooting the CodeQL workflow
shortTitle: Troubleshooting CodeQL
intro: 'If you''re having problems with {% data variables.product.prodname_code_scanning %}, you can troubleshoot by using these tips for resolving issues.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.not-available %}
### Producing detailed logs for debugging
To produce more detailed logging output, you can enable step debug logging. For more information, see "[Enabling debug logging](/actions/managing-workflow-runs/enabling-debug-logging#enabling-step-debug-logging)."
### Automatic build for a compiled language fails
If an automatic build of code for a compiled language within your project fails, try the following troubleshooting steps.
- Remove the `autobuild` step from your {% data variables.product.prodname_code_scanning %} workflow and add specific build steps. For information about editing the workflow, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning#editing-a-code-scanning-workflow)." For more information about replacing the `autobuild` step, see "[Configuring the {% data variables.product.prodname_codeql %} workflow for compiled languages](/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
- If your workflow doesn't explicitly specify the languages to analyze, {% data variables.product.prodname_codeql %} implicitly detects the supported languages in your code base. In this configuration, out of the compiled languages C/C++, C#, and Java, {% data variables.product.prodname_codeql %} only analyzes the language with the most source files. Edit the workflow and add a build matrix specifying the languages you want to analyze. The default CodeQL analysis workflow uses such a matrix.
The following extracts from a workflow show how you can use a matrix within the job strategy to specify languages, and then reference each language within the "Initialize {% data variables.product.prodname_codeql %}" step:
```yaml
jobs:
analyze:
...
strategy:
fail-fast: false
matrix:
language: ['csharp', 'cpp', 'javascript']
...
- name: Initialize {% data variables.product.prodname_codeql %}
uses: github/codeql-action/init@v1
with:
languages: {% raw %}${{ matrix.language }}{% endraw %}
```
For more information about editing the workflow, see "[Configuring code scanning](/code-security/secure-coding/configuring-code-scanning)."
### No code found during the build
If your workflow fails with an error `No source code was seen during the build` or `The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32`, this indicates that {% data variables.product.prodname_codeql %} was unable to monitor your code. Several reasons can explain such a failure:
1. Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a `.h`, or `.gyp` file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by updating the list of languages in the `language` matrix. For example, the following configuration will analyze only Go, and JavaScript.
```yaml
strategy:
fail-fast: false
matrix:
# Override automatic language detection by changing the list below
# Supported options are:
# ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
language: ['go', 'javascript']
```
For more information, see the workflow extract in "[Automatic build for a compiled language fails](#automatic-build-for-a-compiled-language-fails)" above.
1. Your {% data variables.product.prodname_code_scanning %} workflow is analyzing a compiled language (C, C++, C#, or Java), but the code was not compiled. By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step, however, this step represents a best effort process, and may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about specifying build steps, see "[Configuring the {% data variables.product.prodname_codeql %} workflow for compiled languages](/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
1. Your workflow is analyzing a compiled language (C, C++, C#, or Java), but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {% data variables.product.prodname_codeql %} observes the activity of the compiler to understand the data flows in a repository, {% data variables.product.prodname_codeql %} requires a complete build to take place in order to perform analysis.
1. Your workflow is analyzing a compiled language (C, C++, C#, or Java), but compilation does not occur between the `init` and `analyze` steps in the workflow. {% data variables.product.prodname_codeql %} requires that your build happens in between these two steps in order to observe the activity of the compiler and perform analysis.
1. Your compiled code (in C, C++, C#, or Java) was compiled successfully, but {% data variables.product.prodname_codeql %} was unable to detect the compiler invocations. The most common causes are:
* Running your build process in a separate container to {% data variables.product.prodname_codeql %}. For more information, see "[Running CodeQL code scanning in a container](/code-security/secure-coding/running-codeql-code-scanning-in-a-container)."
* Building using a distributed build system external to GitHub Actions, using a daemon process.
* {% data variables.product.prodname_codeql %} isn't aware of the specific compiler you are using.
For .NET Framework projects, and for C# projects using either `dotnet build` or `msbuild` that target .NET Core 2, you should specify `/p:UseSharedCompilation=false` in your workflow's `run` step, when you build your code. The `UseSharedCompilation` flag isn't necessary for .NET Core 3.0 and later.
For example, the following configuration for C# will pass the flag during the first build step.
``` yaml
- run: |
dotnet build /p:UseSharedCompilation=false
```
If you encounter another problem with your specific compiler or configuration, contact {% data variables.contact.contact_support %}.
For more information about specifying build steps, see "[Configuring the {% data variables.product.prodname_codeql %} workflow for compiled languages](/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
### Portions of my repository were not analyzed using `autobuild`
The {% data variables.product.prodname_codeql %} `autobuild` feature uses heuristics to build the code in a repository, however, sometimes this approach results in incomplete analysis of a repository. For example, when multiple `build.sh` commands exist in a single repository, the analysis may not complete since the `autobuild` step will only execute one of the commands. The solution is to replace the `autobuild` step with build steps which build all of the source code which you wish to analyze. For more information, see "[Configuring the {% data variables.product.prodname_codeql %} workflow for compiled languages](/code-security/secure-coding/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)."
### The build takes too long
If your build with {% data variables.product.prodname_codeql %} analysis takes too long to run, there are several approaches you can try to reduce the build time.
#### Increase the memory or cores
If you use self-hosted runners to run {% data variables.product.prodname_codeql %} analysis, you can increase the memory or the number of cores on those runners.
#### Use matrix builds to parallelize the analysis
The default {% data variables.product.prodname_codeql_workflow %} uses a build matrix of languages, which causes the analysis of each language to run in parallel. If you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. To speed up analysis of multiple languages, modify your workflow to use a matrix. For more information, see the workflow extract in "[Automatic build for a compiled language fails](#automatic-build-for-a-compiled-language-fails)" above.
#### Reduce the amount of code being analyzed in a single workflow
Analysis time is typically proportional to the amount of code being analyzed. You can reduce the analysis time by reducing the amount of code being analyzed at once, for example, by excluding test code, or breaking analysis into multiple workflows that analyze only a subset of your code at a time.
For compiled languages like Java, C, C++, and C#, {% data variables.product.prodname_codeql %} analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a `run` block. You can combine specifying your own build steps with using the `paths` or `paths-ignore` filters on the `pull_request` and `push` events to ensure that your workflow only runs when specific code is changed. For more information, see "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestpaths)."
For interpreted languages like Go, JavaScript, Python, and TypeScript, that {% data variables.product.prodname_codeql %} analyzes without a specific build, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "[Specifying directories to scan](/code-security/secure-coding/configuring-code-scanning#specifying-directories-to-scan)."
If you split your analysis into multiple workflows as described above, we still recommend that you have at least one workflow which runs on a `schedule` which analyzes all of the code in your repository. Because {% data variables.product.prodname_codeql %} analyzes data flows between components, some complex security behaviors may only be detected on a complete build.
#### Run only during a `schedule` event
If your analysis is still too slow to be run during `push` or `pull_request` events, then you may want to only trigger analysis on the `schedule` event. For more information, see "[Events](/actions/learn-github-actions/introduction-to-github-actions#events)."
{% if currentVersion == "free-pro-team@latest" %}
### Results differ between analysis platforms
If you are analyzing code written in Python, you may see different results depending on whether you run the {% data variables.product.prodname_codeql_workflow %} on Linux, macOS, or Windows.
On GitHub-hosted runners that use Linux, the {% data variables.product.prodname_codeql_workflow %} tries to install and analyze Python dependencies, which could lead to more results. To disable the auto-install, add `setup-python-dependencies: false` to the "Initialize CodeQL" step of the workflow. For more information about configuring the analysis of Python dependencies, see "[Analyzing Python dependencies](/code-security/secure-coding/configuring-code-scanning#analyzing-python-dependencies)."
{% endif %}
### Error: "Server error"
If the run of a workflow for {% data variables.product.prodname_code_scanning %} fails due to a server error, try running the workflow again. If the problem persists, contact {% data variables.contact.contact_support %}.
### Error: "Out of disk" or "Out of memory"
On very large projects, {% data variables.product.prodname_codeql %} may run out of disk or memory on the runner.
{% if currentVersion == "free-pro-team@latest" %}If you encounter this issue on a hosted {% data variables.product.prodname_actions %} runner, contact {% data variables.contact.contact_support %} so that we can investigate the problem.
{% else %}If you encounter this issue, try increasing the memory on the runner.{% endif %}
### Warning: "git checkout HEAD^2 is no longer necessary"
If you're using an old {% data variables.product.prodname_codeql %} workflow you may get the following warning in the output from the "Initialize {% data variables.product.prodname_codeql %}" action:
```
Warning: 1 issue was detected with this workflow: git checkout HEAD^2 is no longer
necessary. Please remove this step as Code Scanning recommends analyzing the merge
commit for best results.
```
Fix this by removing the following lines from the {% data variables.product.prodname_codeql %} workflow. These lines were included in the `steps` section of the `Analyze` job in initial versions of the {% data variables.product.prodname_codeql %} workflow.
```yaml
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: {% raw %}${{ github.event_name == 'pull_request' }}{% endraw %}
```
The revised `steps` section of the workflow will look like this:
```yaml
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Initializes the {% data variables.product.prodname_codeql %} tools for scanning.
- name: Initialize {% data variables.product.prodname_codeql %}
uses: github/codeql-action/init@v1
...
```
For more information about editing the {% data variables.product.prodname_codeql %} workflow file, see "[Configuring {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/configuring-code-scanning#editing-a-code-scanning-workflow)."

122
content/code-security/secure-coding/uploading-a-sarif-file-to-github.md Normal file
Просмотреть файл

@ -0,0 +1,122 @@
---
title: Uploading a SARIF file to GitHub
shortTitle: Uploading a SARIF file
intro: '{% data reusables.code-scanning.you-can-upload-third-party-analysis %}'
permissions: 'People with write permissions to a repository can upload {% data variables.product.prodname_code_scanning %} data generated outside {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/managing-security-vulnerabilities/uploading-a-code-scanning-analysis-to-github
- /github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---
{% data reusables.code-scanning.beta %}
{% data reusables.code-scanning.enterprise-enable-code-scanning %}
### About SARIF file uploads for {% data variables.product.prodname_code_scanning %}
{% data variables.product.prodname_dotcom %} creates {% data variables.product.prodname_code_scanning %} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {% data variables.product.prodname_actions %}. For more information, see "[Managing {% data variables.product.prodname_code_scanning %} alerts for your repository](/code-security/secure-coding/managing-code-scanning-alerts-for-your-repository)."
You can generate SARIF files using many static analysis security testing tools, including {% data variables.product.prodname_codeql %}. The results must use SARIF version 2.1.0. For more information, see "[About SARIF support for {% data variables.product.prodname_code_scanning %}](/code-security/secure-coding/sarif-support-for-code-scanning)."
You can upload the results using {% data variables.product.prodname_actions %}{% if currentVersion == "enterprise-server@2.22" %} (available if your organization is taking part in the beta program){% endif %}, the {% data variables.product.prodname_code_scanning %} API, or the {% data variables.product.prodname_codeql_runner %}. The best upload method will depend on how you generate the SARIF file, for example, if you use:
- {% data variables.product.prodname_actions %} to run the {% data variables.product.prodname_codeql %} action, there is no further action required. The {% data variables.product.prodname_codeql %} action uploads the SARIF file automatically when it completes analysis.
- {% data variables.product.prodname_actions %} to run a SARIF-compatible analysis tool, you could update the workflow to include a final step that uploads the results (see below).
- The {% data variables.product.prodname_codeql_runner %}, to run {% data variables.product.prodname_code_scanning %} in your CI system, by default the runner automatically uploads results to {% data variables.product.prodname_dotcom %} on completion. If you block the automatic upload, when you are ready to upload results you can use the `upload` command (for more information, see "[Running {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system)").
- A tool that generates results as an artifact outside of your repository, you can use the {% data variables.product.prodname_code_scanning %} API to upload the file (for more information, see "[Upload an analysis as SARIF data](/rest/reference/code-scanning#upload-an-analysis-as-sarif-data)").
{% data reusables.code-scanning.not-available %}
### Uploading a {% data variables.product.prodname_code_scanning %} analysis with {% data variables.product.prodname_actions %}
To use {% data variables.product.prodname_actions %} to upload a third-party SARIF file to a repository, you'll need a workflow. For more information, see "[Learn {% data variables.product.prodname_actions %}](/actions/getting-started-with-github-actions/about-github-actions)" and "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
Your workflow will need to use the `upload-sarif` action, which is part of the `github/codeql-action` repository. It has input parameters that you can use to configure the upload. The main input parameter you'll use is `sarif-file`, which configures the file or directory of SARIF files to be uploaded. The directory or file path is relative to the root of the repository. For more information see the [`upload-sarif` action](https://github.com/github/codeql-action/tree/HEAD/upload-sarif).
The `upload-sarif` action can be configured to run when the `push` and `scheduled` event occur. For more information about {% data variables.product.prodname_actions %} events, see "[Events that trigger workflows](/actions/reference/events-that-trigger-workflows)."
If your SARIF file doesn't include `partialFingerprints`, the `upload-sarif` action will calculate the `partialFingerprints` field for you and attempt to prevent duplicate alerts. {% data variables.product.prodname_dotcom %} can only create `partialFingerprints` when the repository contains both the SARIF file and the source code used in the static analysis. For more information about preventing duplicate alerts, see "[About SARIF support for code scanning](/code-security/secure-coding/sarif-support-for-code-scanning#preventing-duplicate-alerts-using-fingerprints)."
{% data reusables.code-scanning.upload-sarif-alert-limit %}
#### Example workflow for SARIF files generated outside of a repository
You can create a new workflow that uploads SARIF files after you commit them to your repository. This is useful when the SARIF file is generated as an artifact outside of your repository.
This example workflow runs anytime commits are pushed to the repository. The action uses the `partialFingerprints` property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "[Events that trigger workflows](/actions/reference/events-that-trigger-workflows)."
This workflow uploads the `results.sarif` file located in the root of the repository. For more information about creating a workflow file, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
Alternatively, you could modify this workflow to upload a directory of SARIF files. For example, you could place all SARIF files in a directory in the root of your repository called `sarif-output` and set the action's input parameter `sarif_file` to `sarif-output`.
```yaml
name: "Upload SARIF"
# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
push:
schedule:
- cron: '0 0 * * 0'
jobs:
build:
runs-on: ubuntu-latest
steps:
# This step checks out a copy of your repository.
- name: Checkout repository
uses: actions/checkout@v2
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
```
#### Example workflow that runs the ESLint analysis tool
If you generate your third-party SARIF file as part of a continuous integration (CI) workflow, you can add the `upload-sarif` action as a step after running your CI tests. If you don't already have a CI workflow, you can create one using a {% data variables.product.prodname_actions %} template. For more information, see the "[{% data variables.product.prodname_actions %} quickstart](/actions/quickstart)."
This example workflow runs anytime commits are pushed to the repository. The action uses the `partialFingerprints` property to determine if changes have occurred. In addition to running when commits are pushed, the workflow is scheduled to run once per week. For more information, see "[Events that trigger workflows](/actions/reference/events-that-trigger-workflows)."
The workflow shows an example of running the ESLint static analysis tool as a step in a workflow. The `Run ESLint` step runs the ESLint tool and outputs the `results.sarif` file. The workflow then uploads the `results.sarif` file to {% data variables.product.prodname_dotcom %} using the `upload-sarif` action. For more information about creating a workflow file, see "[Introduction to GitHub Actions](/actions/learn-github-actions/introduction-to-github-actions)."
```yml
name: "ESLint analysis"
# Run workflow each time code is pushed to your repository and on a schedule.
# The scheduled workflow runs every at 00:00 on Sunday UTC time.
on:
push:
schedule:
- cron: '0 0 * * 0'
jobs:
build:
steps:
- uses: actions/checkout@v2
- name: Run npm install
run: npm install
# Runs the ESlint code analysis
- name: Run ESLint
# eslint exits 1 if it finds anything to report
run: node_modules/.bin/eslint build docs lib script spec-main -f node_modules/@microsoft/eslint-formatter-sarif/sarif.js -o results.sarif || true
# Uploads results.sarif to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v1
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
```
### Further reading
- "[Workflow syntax for {% data variables.product.prodname_actions %}](/actions/reference/workflow-syntax-for-github-actions)"
- "[Viewing your workflow history](/actions/managing-workflow-runs/viewing-workflow-run-history)"
- "[Running {% data variables.product.prodname_code_scanning %} in your CI system](/code-security/secure-coding/running-codeql-code-scanning-in-your-ci-system)"
- "[Upload an analysis as SARIF data](/rest/reference/code-scanning#upload-an-analysis-as-sarif-data)"

16
content/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system.md Normal file
Просмотреть файл

@ -0,0 +1,16 @@
---
title: Using CodeQL code scanning with your existing CI system
shortTitle: CodeQL CI system support
intro: 'The {% data variables.product.prodname_codeql_runner %} allows you to use your existing CI system to run {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}.'
mapTopic: true
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/using-codeql-code-scanning-with-your-existing-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
github-ae: '*'
topics:
- security
---

1
content/github/managing-security-vulnerabilities/about-github-security-advisories.md → content/code-security/security-advisories/about-github-security-advisories.md
Просмотреть файл

@ -4,6 +4,7 @@ intro: 'You can use {% data variables.product.prodname_security_advisories %} to
redirect_from:
- /articles/about-maintainer-security-advisories
- /github/managing-security-vulnerabilities/about-maintainer-security-advisories
- /github/managing-security-vulnerabilities/about-github-security-advisories
versions:
free-pro-team: '*'
topics:

1
content/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory.md → content/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory.md
Просмотреть файл

@ -4,6 +4,7 @@ intro: You can add other users or teams to collaborate on a security advisory wi
redirect_from:
- /articles/adding-a-collaborator-to-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory
versions:
free-pro-team: '*'
topics:

1
content/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository.md → content/code-security/security-advisories/adding-a-security-policy-to-your-repository.md
Просмотреть файл

@ -3,6 +3,7 @@ title: Adding a security policy to your repository
intro: You can give instructions for how to responsibly report a security vulnerability in your project by adding a security policy to your repository.
redirect_from:
- /articles/adding-a-security-policy-to-your-repository
- /github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
versions:
free-pro-team: '*'
topics:

1
content/github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability.md → content/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability.md
Просмотреть файл

@ -3,6 +3,7 @@ title: Collaborating in a temporary private fork to resolve a security vulnerabi
intro: You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
redirect_from:
- /articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
- /github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
versions:
free-pro-team: '*'
topics:

1
content/github/managing-security-vulnerabilities/creating-a-security-advisory.md → content/code-security/security-advisories/creating-a-security-advisory.md
Просмотреть файл

@ -4,6 +4,7 @@ intro: You can create a draft security advisory to privately discuss and fix a s
redirect_from:
- /articles/creating-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/creating-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/creating-a-security-advisory
versions:
free-pro-team: '*'
topics:

2
content/github/managing-security-vulnerabilities/editing-a-security-advisory.md → content/code-security/security-advisories/editing-a-security-advisory.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: Editing a security advisory
intro: You can edit the metadata and description for a security advisory if you need to update details or correct errors.
redirect_from:
- /github/managing-security-vulnerabilities/editing-a-security-advisory
versions:
free-pro-team: '*'
topics:

25
content/code-security/security-advisories/index.md Normal file
Просмотреть файл

@ -0,0 +1,25 @@
---
title: Managing security advisories for vulnerabilities in your project
shortTitle: Security advisories
intro: 'Discuss, fix, and disclose security vulnerabilities in your repositories using security advisories.'
redirect_from:
- /articles/managing-security-vulnerabilities-in-your-project
- /github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project
versions:
free-pro-team: '*'
topics:
- security
---
### Table of Contents
{% link_in_list /adding-a-security-policy-to-your-repository %}
{% link_in_list /about-github-security-advisories %}
{% link_in_list /permission-levels-for-security-advisories %}
{% link_in_list /creating-a-security-advisory %}
{% link_in_list /adding-a-collaborator-to-a-security-advisory %}
{% link_in_list /removing-a-collaborator-from-a-security-advisory %}
{% link_in_list /collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability %}
{% link_in_list /publishing-a-security-advisory %}
{% link_in_list /editing-a-security-advisory %}
{% link_in_list /withdrawing-a-security-advisory %}

1
content/github/managing-security-vulnerabilities/permission-levels-for-security-advisories.md → content/code-security/security-advisories/permission-levels-for-security-advisories.md
Просмотреть файл

@ -4,6 +4,7 @@ intro: The actions you can take in a security advisory depend on whether you hav
redirect_from:
- /articles/permission-levels-for-maintainer-security-advisories
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
- /github/managing-security-vulnerabilities/permission-levels-for-security-advisories
versions:
free-pro-team: '*'
topics:

2
content/github/managing-security-vulnerabilities/publishing-a-security-advisory.md → content/code-security/security-advisories/publishing-a-security-advisory.md
Просмотреть файл

@ -4,11 +4,13 @@ intro: You can publish a security advisory to alert your community about a secur
redirect_from:
- /articles/publishing-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/publishing-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/publishing-a-security-advisory
versions:
free-pro-team: '*'
topics:
- security
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "Publishing a security advisory".-->
Anyone with admin permissions to a security advisory can publish the security advisory.

2
content/github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory.md → content/code-security/security-advisories/removing-a-collaborator-from-a-security-advisory.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: Removing a collaborator from a security advisory
intro: 'When you remove a collaborator from a security advisory, they lose read and write access to the security advisory''s discussion and metadata.'
redirect_from:
- /github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory
versions:
free-pro-team: '*'
topics:

2
content/github/managing-security-vulnerabilities/withdrawing-a-security-advisory.md → content/code-security/security-advisories/withdrawing-a-security-advisory.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: Withdrawing a security advisory
intro: You can withdraw a security advisory that you've published.
redirect_from:
- /github/managing-security-vulnerabilities/withdrawing-a-security-advisory
versions:
free-pro-team: '*'
topics:

100
content/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies.md Normal file
Просмотреть файл

@ -0,0 +1,100 @@
---
title: About alerts for vulnerable dependencies
intro: '{% data variables.product.product_name %} sends {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} when we detect vulnerabilities affecting your repository.'
redirect_from:
- /articles/about-security-alerts-for-vulnerable-dependencies
- /github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies
- /github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
topics:
- security
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "About alerts for vulnerable dependencies ".-->
### About vulnerable dependencies
{% data reusables.repositories.a-vulnerability-is %}
When your code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems for your project or the people who use it.
### Detection of vulnerable dependencies
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when:
{% if currentVersion == "free-pro-team@latest" %}
- A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)."
- New vulnerability data from [WhiteSource](https://www.whitesourcesoftware.com/vulnerability-database) is processed.{% else %}
- New advisory data is synchronized to {% data variables.product.prodname_ghe_server %} each hour from {% data variables.product.prodname_dotcom_the_website %}. For more information about advisory data, see "<a href="/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database" class="dotcom-only">Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}</a>."{% endif %}
- The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on{% if currentVersion == "free-pro-team@latest" %}, or when the code of one of the dependencies changes{% endif %}. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
{% data reusables.repositories.dependency-review %}
For a list of the ecosystems that {% data variables.product.product_name %} can detect vulnerabilities and dependencies for, see "[Supported package ecosystems](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)."
{% note %}
**Note:** It is important to keep your manifest and lock files up to date. If the dependency graph doesn't accurately reflect your current dependencies and versions, then you could miss alerts for vulnerable dependencies that you use. You may also get alerts for dependencies that you no longer use.
{% endnote %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" % %}
### {% data variables.product.prodname_dependabot %} alerts for vulnerable dependencies
{% else %}
### Security alerts for vulnerable dependencies
{% endif %}
{% data reusables.repositories.enable-security-alerts %}
{% if currentVersion == "free-pro-team@latest" %}{% data variables.product.prodname_dotcom %} detects vulnerable dependencies in _public_ repositories and generates {% data variables.product.prodname_dependabot_alerts %} by default. Owners of private repositories, or people with admin access, can enable {% data variables.product.prodname_dependabot_alerts %} by enabling the dependency graph and {% data variables.product.prodname_dependabot_alerts %} for their repositories.
You can also enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)."
For information about permission requirements for actions related to {% data variables.product.prodname_dependabot_alerts %}, see "[Repository permission levels for an organization](/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization#permission-requirements-for-security-features)."
{% data variables.product.product_name %} starts generating the dependency graph immediately and generates alerts for any vulnerable dependencies as soon as they are identified. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. For more information, see "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)."
{% endif %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies)."
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
When {% data variables.product.product_name %} identifies a vulnerable dependency, we send a security alert to the maintainers of affected repositories with details of the vulnerability, a link to the affected file in the project, and information about a fixed version.
{% endif %}
{% warning %}
**Note**: {% data variables.product.product_name %}'s security features do not claim to catch all vulnerabilities. Though we are always trying to update our vulnerability database and generate alerts with our most up-to-date information, we will not be able to catch everything or tell you about known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough vulnerability review when necessary.
{% endwarning %}
### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts
You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
We send security alerts to people with admin permissions in the affected repositories by default. {% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository.
{% endif %}
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization %}{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.21" %} For more information, see "[Choosing the delivery method for your notifications](/github/receiving-notifications-about-activity-on-github/choosing-the-delivery-method-for-your-notifications)."{% endif %}{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %} For more information, see "[Configuring notifications for vulnerable dependencies](/code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies)."{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
You can also see all the {% data variables.product.prodname_dependabot_alerts %} that correspond to a particular vulnerability in the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database#viewing-your-vulnerable-repositories)."
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
### Further reading
- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)"
- "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
- "[Understanding how {% data variables.product.product_name %} uses and protects your data](/categories/understanding-how-github-uses-and-protects-your-data)"{% endif %}

4
content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md → content/code-security/supply-chain-security/about-dependabot-security-updates.md
Просмотреть файл

@ -4,15 +4,17 @@ intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable depe
shortTitle: About Dependabot security updates
redirect_from:
- /github/managing-security-vulnerabilities/about-github-dependabot-security-updates
- /github/managing-security-vulnerabilities/about-dependabot-security-updates
versions:
free-pro-team: '*'
topics:
- security
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "About Dependabot security updates".-->
### About {% data variables.product.prodname_dependabot_security_updates %}
{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)."
{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)."

2
content/github/administering-a-repository/about-dependabot-version-updates.md → content/code-security/supply-chain-security/about-dependabot-version-updates.md
Просмотреть файл

@ -5,6 +5,8 @@ redirect_from:
- /github/administering-a-repository/about-dependabot
- /github/administering-a-repository/about-github-dependabot
- /github/administering-a-repository/about-github-dependabot-version-updates
- /github/administering-a-repository/about-dependabot-version-updates
versions:
free-pro-team: '*'
topics:

5
content/github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies.md → content/code-security/supply-chain-security/about-managing-vulnerable-dependencies.md
Просмотреть файл

@ -1,11 +1,14 @@
---
title: About managing vulnerable dependencies
intro: '{% data variables.product.prodname_dotcom %} helps you to avoid using third-party software that contains known vulnerabilities.'
redirect_from:
- /github/managing-security-vulnerabilities/about-managing-vulnerable-dependencies
versions:
free-pro-team: '*'
topics:
- security
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "Managing vulnerabilities in your projects dependencies ".-->
{% data variables.product.prodname_dotcom %} provides the following tools for removing and avoiding vulnerable dependencies.
@ -17,7 +20,7 @@ For more information, see "[About the dependency graph](/github/visualizing-repo
By checking the dependency reviews on pull requests you can avoid introducing vulnerabilities from dependencies into your codebase. If the pull requests adds a vulnerable dependency, or changes a dependency to a vulnerable version, this is highlighted in the dependency review. You can change the dependency to a patched version before merging the pull request. For more information, see "[Reviewing dependency changes in a pull request](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request)."
#### {% data variables.product.prodname_dependabot_alerts %}
{% data variables.product.prodname_dotcom %} can create {% data variables.product.prodname_dependabot_alerts %} when it detects vulnerable dependencies in your repository. The alert is displayed on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.prodname_dotcom %} also notifies the maintainers of the repository, according to their notification preferences. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
{% data variables.product.prodname_dotcom %} can create {% data variables.product.prodname_dependabot_alerts %} when it detects vulnerable dependencies in your repository. The alert is displayed on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.prodname_dotcom %} also notifies the maintainers of the repository, according to their notification preferences. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
#### {% data variables.product.prodname_dependabot_security_updates %}
When {% data variables.product.prodname_dotcom %} generates a {% data variables.product.prodname_dependabot %} alert for a vulnerable dependency in your repository, {% data variables.product.prodname_dependabot %} can automatically try to fix it for you. {% data variables.product.prodname_dependabot_security_updates %} are automatically generated pull requests that update a vulnerable dependency to a fixed version. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."

94
content/code-security/supply-chain-security/about-the-dependency-graph.md Normal file
Просмотреть файл

@ -0,0 +1,94 @@
---
title: About the dependency graph
intro: 'You can use the dependency graph to identify all your project''s dependencies. The dependency graph supports a range of popular package ecosystems.'
redirect_from:
- /github/visualizing-repository-data-with-graphs/about-the-dependency-graph
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
topics:
- repositories
---
<!--Marketing-LINK: From /features/security and /features/security/software-supply-chain pages "How GitHub's dependency graph is generated".-->
### Dependency graph availability
The dependency graph is available for every{% if currentVersion == "free-pro-team@latest" %} public{% endif %} repository that defines dependencies in a supported package ecosystem using a supported file format.{% if currentVersion == "free-pro-team@latest" %} Repository administrators can also set up the dependency graph for private repositories.{% endif %}
{% data reusables.repositories.enable-security-alerts %}
### About the dependency graph
The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows{% if currentVersion == "free-pro-team@latest" %}:
- Dependencies, the ecosystems and packages it depends on
- Dependents, the repositories and packages that depend on it{% else %} dependencies, that is, the ecosystems and packages it depends on. {% data variables.product.prodname_ghe_server %} does not calculate information about dependents, the repositories and packages that depend on a repository.{% endif %}
When you push a commit to {% data variables.product.product_name %} that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated.{% if currentVersion == "free-pro-team@latest" %} In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.{% endif %} For information on the supported ecosystems and manifest files, see "[Supported package ecosystems](#supported-package-ecosystems)" below.
{% if currentVersion == "free-pro-team@latest" %}
When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see "[Reviewing dependency changes in a pull request](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request)."
{% endif %}
### Dependencies included
The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems. This includes:
- Direct dependencies, that are explicitly defined in a manifest or lock file
- Indirect dependencies of these direct dependencies, also known as transitive dependencies or sub-dependencies
The dependency graph identifies indirect dependencies{% if currentVersion == "free-pro-team@latest" %} either explicitly from a lock file or by checking the dependencies of your direct dependencies. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code{% else %} from the lock files{% endif %}.
{% if currentVersion == "free-pro-team@latest" %}
### Dependents included
For public repositories, only public repositories that depend on it or on packages that it publishes are reported. This information is not reported for private repositories.{% endif %}
### Using the dependency graph
You can use the dependency graph to:
- Explore the repositories your code depends on{% if currentVersion == "free-pro-team@latest" %}, and those that depend on it{% endif %}. For more information, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)." {% if currentVersion == "free-pro-team@latest" %}
- View a summary of the dependencies used in your organization's repositories in a single dashboard. For more information, see "[Viewing insights for your organization](/articles/viewing-insights-for-your-organization#viewing-organization-dependency-insights)."{% endif %}
- View and update vulnerable dependencies for your repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."{% if currentVersion == "free-pro-team@latest" %}
- See information about vulnerable dependencies in pull requests. For more information, see "[Reviewing dependency changes in a pull request](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request)."{% endif %}
### Enabling the dependency graph
{% if currentVersion == "free-pro-team@latest" %}To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For information about enabling or disabling it for private repositories, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} If the dependency graph is not available in your system, your site administrator can enable the dependency graph and security alerts. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."
{% endif %}
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository{% if currentVersion == "free-pro-team@latest" %} and every push to other repositories in the graph{% endif %}.
### Supported package ecosystems
The recommended formats explicitly define which versions are used for all direct and all indirect dependencies. If you use these formats, your dependency graph is more accurate. It also reflects the current build set up and enables the dependency graph to report vulnerabilities in both direct and indirect dependencies.{% if currentVersion == "free-pro-team@latest" %} Indirect dependencies that are inferred from a manifest file (or equivalent) are excluded from the checks for vulnerable dependencies.{% endif %}
| Package manager | Languages | Recommended formats | All supported formats |
| --- | --- | --- | ---|
| Composer | PHP | `composer.lock` | `composer.json`, `composer.lock` |
| `dotnet` CLI | .NET languages (C#, C++, F#, VB) | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj`, `packages.config` |
| Maven | Java, Scala | `pom.xml` | `pom.xml` |
| npm | JavaScript | `package-lock.json` | `package-lock.json`, `package.json`|
| Python PIP | Python | `requirements.txt`, `pipfile.lock` | `requirements.txt`, `pipfile`, `pipfile.lock`, `setup.py`* |
| RubyGems | Ruby | `Gemfile.lock` | `Gemfile.lock`, `Gemfile`, `*.gemspec` |
| Yarn | JavaScript | `yarn.lock` | `package.json`, `yarn.lock` |
{% note %}
**Note:** If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project.
{% endnote %}
### Further reading
- "[Dependency graph](https://en.wikipedia.org/wiki/Dependency_graph)" on Wikipedia
- "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)"{% if currentVersion == "free-pro-team@latest" %}
- "[Viewing insights for your organization](/github/setting-up-and-managing-organizations-and-teams/viewing-insights-for-your-organization)"
- "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
- "[Troubleshooting the detection of vulnerable dependencies](/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies)"{% endif %}

7
content/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database.md → content/code-security/supply-chain-security/browsing-security-vulnerabilities-in-the-github-advisory-database.md
Просмотреть файл

@ -2,17 +2,20 @@
title: Browsing security vulnerabilities in the GitHub Advisory Database
intro: 'The {% data variables.product.prodname_advisory_database %} allows you to browse or search for vulnerabilities that affect open source projects on {% data variables.product.company_short %}.'
shortTitle: Browsing the Advisory Database
redirect_from:
- /github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database
versions:
free-pro-team: '*'
topics:
- security
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "Browsing security vulnerabilities in the GitHub Advisory Database".-->
### About security vulnerabilities
{% data reusables.repositories.a-vulnerability-is %}
{% data variables.product.product_name %} will send you {% data variables.product.prodname_dependabot_alerts %} if we detect that any of the vulnerabilities from the {% data variables.product.prodname_advisory_database %} affect the packages that your repository depends on. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
{% data variables.product.product_name %} will send you {% data variables.product.prodname_dependabot_alerts %} if we detect that any of the vulnerabilities from the {% data variables.product.prodname_advisory_database %} affect the packages that your repository depends on. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
### About the {% data variables.product.prodname_advisory_database %}
@ -70,7 +73,7 @@ You can search the database, and use qualifiers to narrow your search. For examp
### Viewing your vulnerable repositories
For any vulnerability in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories have a {% data variables.product.prodname_dependabot %} alert for that vulnerability. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#access-to-dependabot-alerts)."
For any vulnerability in the {% data variables.product.prodname_advisory_database %}, you can see which of your repositories have a {% data variables.product.prodname_dependabot %} alert for that vulnerability. To see a vulnerable repository, you must have access to {% data variables.product.prodname_dependabot_alerts %} for that repository. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies#access-to-dependabot-alerts)."
1. Navigate to https://github.com/advisories.
2. Click an advisory.

2
content/github/administering-a-repository/configuration-options-for-dependency-updates.md → content/code-security/supply-chain-security/configuration-options-for-dependency-updates.md
Просмотреть файл

@ -2,6 +2,8 @@
title: Configuration options for dependency updates
intro: 'Detailed information for all the options you can use to customize how {% data variables.product.prodname_dependabot %} maintains your repositories.'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_dependabot %} for the repository.'
redirect_from:
- /github/administering-a-repository/configuration-options-for-dependency-updates
miniTocMaxHeadingLevel: 4
versions:
free-pro-team: '*'

4
content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md → content/code-security/supply-chain-security/configuring-dependabot-security-updates.md
Просмотреть файл

@ -7,11 +7,13 @@ redirect_from:
- /github/managing-security-vulnerabilities/configuring-automated-security-fixes
- /github/managing-security-vulnerabilities/configuring-automated-security-updates
- /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates
- /github/managing-security-vulnerabilities/configuring-dependabot-security-updates
versions:
free-pro-team: '*'
topics:
- security
---
<!--Marketing-LINK: From home page "Learn more about Dependabot".-->
### About configuring {% data variables.product.prodname_dependabot_security_updates %}
@ -60,6 +62,6 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec
### Further reading
- "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
- "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"
- "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)"
- "[Supported package ecosystems](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)"

60
content/code-security/supply-chain-security/configuring-notifications-for-vulnerable-dependencies.md Normal file
Просмотреть файл

@ -0,0 +1,60 @@
---
title: Configuring notifications for vulnerable dependencies
shortTitle: Configuring notifications
intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.'
redirect_from:
- /github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
topics:
- security
---
### About notifications for vulnerable dependencies
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability.
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-new-repositories-when-they-are-added)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion == "enterprise-server@2.21" %}
Your site administrator needs to enable security alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use the feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.20" %}
By default, if your site administrator has configured email for notifications on your enterprise, you will receive {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} by email.{% endif %}
{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
{% if currentVersion ver_lt "enterprise-server@2.22" %}Site administrators can also enable security alerts without notifications. For more information, see "[Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %}
### Configuring notifications for {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}
You can configure notification settings for yourself or your organization from the Manage notifications drop-down {% octicon "bell" aria-label="The notifications bell" %} shown at the top of each page. For more information, see "[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#choosing-your-notification-settings)."
{% data reusables.notifications.vulnerable-dependency-notification-delivery-method-customization %}
{% data reusables.notifications.vulnerable-dependency-notification-options %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}
![{% data variables.product.prodname_dependabot_alerts %} options](/assets/images/help/notifications-v2/dependabot-alerts-options.png)
{% else %}
![Security alerts options](/assets/images/help/notifications-v2/security-alerts-options.png)
{% endif %}
{% note %}
**Note:** You can filter your notifications on {% data variables.product.company_short %} to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#dependabot-custom-filters)."
{% endnote %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.19" % %}{% data reusables.repositories.security-alerts-x-github-severity %} For more information, see {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.20" %}"[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#filtering-email-notifications){% else %}"[About email notifications](/github/receiving-notifications-about-activity-on-github/about-email-notifications){% endif %}."{% endif %}
### How to reduce the noise from notifications for vulnerable dependencies
If you are concerned about receiving too many notifications for {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %}, we recommend you opt into the weekly email digest, or turn off notifications while keeping {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} enabled. You can still navigate to see your {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} in your repository's Security tab.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %}
### Further reading
- "[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications)"
- "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-is-queries)"

2
content/github/administering-a-repository/customizing-dependency-updates.md → content/code-security/supply-chain-security/customizing-dependency-updates.md
Просмотреть файл

@ -2,6 +2,8 @@
title: Customizing dependency updates
intro: 'You can customize how {% data variables.product.prodname_dependabot %} maintains your dependencies.'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_dependabot %} for the repository.'
redirect_from:
- /github/administering-a-repository/customizing-dependency-updates
versions:
free-pro-team: '*'
topics:

3
content/github/administering-a-repository/enabling-and-disabling-version-updates.md → content/code-security/supply-chain-security/enabling-and-disabling-version-updates.md
Просмотреть файл

@ -2,11 +2,14 @@
title: Enabling and disabling version updates
intro: 'You can configure your repository so that {% data variables.product.prodname_dependabot %} automatically updates the packages you use.'
permissions: 'People with write permissions to a repository can enable or disable {% data variables.product.prodname_dependabot_version_updates %} for the repository.'
redirect_from:
- /github/administering-a-repository/enabling-and-disabling-version-updates
versions:
free-pro-team: '*'
topics:
- repositories
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "About version updates for dependencies".-->
{% data reusables.dependabot.beta-note-no-link %}

123
content/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository.md Normal file
Просмотреть файл

@ -0,0 +1,123 @@
---
title: Exploring the dependencies of a repository
intro: 'You can use the dependency graph to see the packages your project depends on{% if currentVersion == "free-pro-team@latest" %} and the repositories that depend on it{% endif %}. In addition, you can see any vulnerabilities detected in its dependencies.'
redirect_from:
- /articles/listing-the-packages-that-a-repository-depends-on
- /github/visualizing-repository-data-with-graphs/listing-the-packages-that-a-repository-depends-on
- /articles/listing-the-projects-that-depend-on-a-repository
- /github/visualizing-repository-data-with-graphs/listing-the-projects-that-depend-on-a-repository
- /github/visualizing-repository-data-with-graphs/exploring-the-dependencies-and-dependents-of-a-repository
- /github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
topics:
- repositories
---
### Viewing the dependency graph
{% data reusables.repositories.enable-security-alerts %}
The dependency graph shows the dependencies{% if currentVersion == "free-pro-team@latest" %} and dependents{% endif %} of your repository. For information about the detection of dependencies and which ecosystems are supported, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.accessing-repository-graphs %}
{% data reusables.repositories.click-dependency-graph %}{% if currentVersion == "free-pro-team@latest" %}
4. Optionally, under "Dependency graph", click **Dependents**.
![Dependents tab on the dependency graph page](/assets/images/help/graphs/dependency-graph-dependents-tab.png){% endif %}
#### Dependencies view
{% if currentVersion == "free-pro-team@latest" %}
Dependencies are grouped by ecosystem. You can expand a dependency to view its dependencies. For dependencies on public repositories hosted on {% data variables.product.product_name %}, you can also click a dependency to view the repository. Dependencies on private repositories, private packages, or unrecognized files are shown in plain text.
If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
![Dependencies graph](/assets/images/help/graphs/dependencies_graph.png)
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}
Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}.
![Dependencies graph](/assets/images/help/graphs/dependencies_graph_server.png)
{% note %}
**Note:** {% data variables.product.prodname_ghe_server %} does not populate the **Dependents** view.
{% endnote %}
{% endif %}
{% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %}
Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to security alerts.
![Dependencies graph](/assets/images/help/graphs/dependencies_graph_server.png)
{% note %}
**Note:** {% data variables.product.prodname_ghe_server %} does not populate the **Dependents** view.
{% endnote %}
{% endif %}
{% if currentVersion == "free-pro-team@latest" %}
#### Dependents view
For public repositories, the dependents view shows how the repository is used by other repositories. To show only the repositories that contain a library in a package manager, click **NUMBER Packages** immediately above the list of dependent repositories. The dependent counts are approximate and may not always match the dependents listed.
![Dependents graph](/assets/images/help/graphs/dependents_graph.png)
### Enabling and disabling the dependency graph for a private repository
Repository administrators can enable or disable the dependency graph for private repositories.
You can also enable or disable the dependency graph for all repositories owned by your user account or organization. For more information, see "[Managing security and analysis settings for your user account](/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account)" or "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-security-and-analysis %}
4. Read the message about granting {% data variables.product.product_name %} read-only access to the repository data to enable the dependency graph, then next to "Dependency Graph", click **Enable**.
!["Enable" button for the dependency graph](/assets/images/help/repository/dependency-graph-enable-button.png)
You can disable the dependency graph at any time by clicking **Disable** next to "Dependency Graph" on the Security & analysis tab.
### Changing the "Used by" package
If the dependency graph is enabled, and your repository contains a package that's published on a supported package ecosystem, {% data variables.product.prodname_dotcom %} displays a "Used by" section in the sidebar of the **Code** tab of your repository. For more information about the supported package ecosystems, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)."
The "Used by" section shows the number of public references to the package that were found, and displays the avatars of some of the owners of the dependent projects.
!["Used by" sidebar section](/assets/images/help/repository/used-by-section.png)
Clicking any item in this section takes you to the **Dependents** tab of the dependency graph.
The "Used by" section represents a single package from the repository. If you have admin permissions to a repository that contains multiple packages, you can choose which package the "Used by" section represents.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-security-and-analysis %}
4. Under "Configure security and analysis features", click the drop-down menu in the "Used by counter" section and choose a package.
![Choose a "Used by" package](/assets/images/help/repository/choose-used-by-package.png)
{% endif %}
### Troubleshooting the dependency graph
If your dependency graph is empty, there may be a problem with the file containing your dependencies. Check the file to ensure that it's correctly formatted for the file type.
{% if currentVersion == "free-pro-team@latest" %}
If the file is correctly formatted, then check its size. The dependency graph ignores individual manifest and lock files that are over 0.5 Mb, unless you are a {% data variables.product.prodname_enterprise %} user. It processes up to 20 manifest or lock files per repository by default, so you can split dependencies into smaller files in subdirectories of the repository.{% endif %}
If a manifest or lock file is not processed, its dependencies are omitted from the dependency graph and they can't be checked for vulnerable dependencies.
### Further reading
- "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)"{% if currentVersion == "free-pro-team@latest" %}
- "[Viewing insights for your organization](/github/setting-up-and-managing-organizations-and-teams/viewing-insights-for-your-organization)"
- "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
- "[Understanding how {% data variables.product.product_name %} uses and protects your data](/github/understanding-how-github-uses-and-protects-your-data)"
{% endif %}

38
content/code-security/supply-chain-security/index.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
---
title: Securing your software supply chain
shortTitle: Supply chain security
intro: 'Visualize, maintain, and secure the dependencies in your software supply chain.'
redirect_from:
- /categories/managing-security-vulnerabilities
- /github/managing-security-vulnerabilities
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
topics:
- security
---
### Table of Contents
{% topic_link_in_list /understanding-your-software-supply-chain %}
{% link_in_list /about-the-dependency-graph %}
{% link_in_list /exploring-the-dependencies-of-a-repository %}
{% topic_link_in_list /keeping-your-dependencies-updated-automatically %}
{% link_in_list /about-dependabot-version-updates %}
{% link_in_list /enabling-and-disabling-version-updates %}
{% link_in_list /listing-dependencies-configured-for-version-updates %}
{% link_in_list /managing-pull-requests-for-dependency-updates %}
{% link_in_list /managing-encrypted-secrets-for-dependabot %}
{% link_in_list /customizing-dependency-updates %}
{% link_in_list /configuration-options-for-dependency-updates %}
{% link_in_list /keeping-your-actions-up-to-date-with-dependabot %}
{% topic_link_in_list /managing-vulnerabilities-in-your-projects-dependencies %}
{% link_in_list /about-managing-vulnerable-dependencies %}
{% link_in_list /browsing-security-vulnerabilities-in-the-github-advisory-database %}
{% link_in_list /about-alerts-for-vulnerable-dependencies %}
{% link_in_list /configuring-notifications-for-vulnerable-dependencies %}
{% link_in_list /about-dependabot-security-updates %}
{% link_in_list /configuring-dependabot-security-updates %}
{% link_in_list /viewing-and-updating-vulnerable-dependencies-in-your-repository %}
{% link_in_list /troubleshooting-the-detection-of-vulnerable-dependencies %}
{% link_in_list /troubleshooting-dependabot-errors %}

1
content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md → content/code-security/supply-chain-security/keeping-your-actions-up-to-date-with-dependabot.md
Просмотреть файл

@ -3,6 +3,7 @@ title: Keeping your actions up to date with Dependabot
intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the actions you use updated to the latest versions.'
redirect_from:
- /github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot
- /github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot
versions:
free-pro-team: '*'
topics:

2
content/github/administering-a-repository/keeping-your-dependencies-updated-automatically.md → content/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically.md
Просмотреть файл

@ -2,6 +2,8 @@
title: Keeping your dependencies updated automatically
intro: '{% data variables.product.prodname_dependabot %} can maintain your repository''s dependencies automatically.'
mapTopic: true
redirect_from:
- /github/administering-a-repository/keeping-your-dependencies-updated-automatically
versions:
free-pro-team: '*'
topics:

2
content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md → content/code-security/supply-chain-security/listing-dependencies-configured-for-version-updates.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: Listing dependencies configured for version updates
intro: 'You can view the dependencies that {% data variables.product.prodname_dependabot %} monitors for updates.'
redirect_from:
- /github/administering-a-repository/listing-dependencies-configured-for-version-updates
versions:
free-pro-team: '*'
topics:

2
content/github/administering-a-repository/managing-encrypted-secrets-for-dependabot.md → content/code-security/supply-chain-security/managing-encrypted-secrets-for-dependabot.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: Managing encrypted secrets for Dependabot
intro: You can store sensitive information, like passwords and access tokens, as encrypted secrets and then reference these in the {% data variables.product.prodname_dependabot %} configuration file.
redirect_from:
- /github/administering-a-repository/managing-encrypted-secrets-for-dependabot
versions:
free-pro-team: '*'
---

2
content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md → content/code-security/supply-chain-security/managing-pull-requests-for-dependency-updates.md
Просмотреть файл

@ -1,6 +1,8 @@
---
title: Managing pull requests for dependency updates
intro: 'You manage pull requests raised by {% data variables.product.prodname_dependabot %} in much the same way as other pull requests, but there are some extra options.'
redirect_from:
- /github/administering-a-repository/managing-pull-requests-for-dependency-updates
versions:
free-pro-team: '*'
topics:

15
content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies.md Normal file
Просмотреть файл

@ -0,0 +1,15 @@
---
title: Managing vulnerabilities in your project's dependencies
intro: 'You can track your repository''s dependencies and receive {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} when {% data variables.product.product_name %} detects vulnerable dependencies.'
mapTopic: true
redirect_from:
- /articles/updating-your-project-s-dependencies/
- /articles/updating-your-projects-dependencies/
- /articles/managing-security-vulnerabilities-in-your-projects-dependencies/
- /articles/managing-vulnerabilities-in-your-projects-dependencies
- /github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
---

1
content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md → content/code-security/supply-chain-security/troubleshooting-dependabot-errors.md
Просмотреть файл

@ -4,6 +4,7 @@ intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to
shortTitle: Troubleshooting errors
redirect_from:
- /github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors
- /github/managing-security-vulnerabilities/troubleshooting-dependabot-errors
versions:
free-pro-team: '*'
topics:

6
content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md → content/code-security/supply-chain-security/troubleshooting-the-detection-of-vulnerable-dependencies.md
Просмотреть файл

@ -2,6 +2,8 @@
title: Troubleshooting the detection of vulnerable dependencies
intro: 'If the dependency information reported by {% data variables.product.product_name %} is not what you expected, there are a number of points to consider, and various things you can check.'
shortTitle: Troubleshooting detection
redirect_from:
- /github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies
versions:
free-pro-team: '*'
topics:
@ -16,7 +18,7 @@ The results of dependency detection reported by {% data variables.product.produc
* {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies. It's a free, curated database of vulnerability information for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)" and "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)."
* The dependency graph parses all known package manifest files in a users repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repositorys dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)."
* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)."
{% data variables.product.prodname_dependabot %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database.
@ -97,7 +99,7 @@ When you click to display the alert details, you can see how many vulnerabilitie
### Further reading
- "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
- "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"
- "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)"
- "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)"
- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)"

12
content/code-security/supply-chain-security/understanding-your-software-supply-chain.md Normal file
Просмотреть файл

@ -0,0 +1,12 @@
---
title: Understanding your software supply chain
mapTopic: true
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
---
### Table of Contents
{% link_in_list /about-the-dependency-graph %}
{% link_in_list /exploring-the-dependencies-of-a-repository %}

5
content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md → content/code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository.md
Просмотреть файл

@ -3,6 +3,7 @@ title: Viewing and updating vulnerable dependencies in your repository
intro: 'If {% data variables.product.product_name %} discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.'
redirect_from:
- /articles/viewing-and-updating-vulnerable-dependencies-in-your-repository
- /github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository
permissions: Repository administrators and organization owners can view and update dependencies.
shortTitle: Viewing and updating vulnerable dependencies
versions:
@ -10,7 +11,7 @@ versions:
topics:
- security
---
Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."
Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)."
You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
@ -36,7 +37,7 @@ You can enable automatic security updates for any repository that uses {% data v
### Further reading
- "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)"
- "[About alerts for vulnerable dependencies](/code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies)"
- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)"
- "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)"
- "[Troubleshooting the detection of vulnerable dependencies](/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies)"

2
content/developers/apps/creating-a-github-app-using-url-parameters.md
Просмотреть файл

@ -82,7 +82,7 @@ Permission | Description
[`starring`](/rest/reference/permissions-required-for-github-apps/#permission-on-starring) | Grants access to the [Starring API](/rest/reference/activity#starring). Can be one of: `none`, `read`, or `write`.
[`statuses`](/rest/reference/permissions-required-for-github-apps/#permission-on-statuses) | Grants access to the [Statuses API](/rest/reference/repos#statuses). Can be one of: `none`, `read`, or `write`.
[`team_discussions`](/rest/reference/permissions-required-for-github-apps/#permission-on-team-discussions) | Grants access to the [Team Discussions API](/rest/reference/teams#discussions) and the [Team Discussion Comments API](/rest/reference/teams#discussion-comments). Can be one of: `none`, `read`, or `write`.{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@1.19" %}
`vulnerability_alerts`| Grants access to receive security alerts for vulnerable dependencies in a repository. See "[About security alerts for vulnerable dependencies](/articles/about-security-alerts-for-vulnerable-dependencies)" to learn more. Can be one of: `none` or `read`.{% endif %}
`vulnerability_alerts`| Grants access to receive security alerts for vulnerable dependencies in a repository. See "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies/)" to learn more. Can be one of: `none` or `read`.{% endif %}
`watching` | Grants access to list and change repositories a user is subscribed to. Can be one of: `none`, `read`, or `write`.
### {% data variables.product.prodname_github_app %} webhook events

2
content/developers/webhooks-and-events/webhook-events-and-payloads.md
Просмотреть файл

@ -1127,7 +1127,7 @@ Key | Type | Description
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@1.19" %}
### security_advisory
Activity related to a security advisory. A security advisory provides information about security-related vulnerabilities in software on GitHub. The security advisory dataset also powers the GitHub security alerts, see "[About security alerts for vulnerable dependencies](/articles/about-security-alerts-for-vulnerable-dependencies/)."
Activity related to a security advisory. A security advisory provides information about security-related vulnerabilities in software on GitHub. The security advisory dataset also powers the GitHub security alerts, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies/)."
{% endif %}
#### Availability

16
content/github/administering-a-repository/index.md
Просмотреть файл

@ -27,6 +27,7 @@ topics:
{% link_in_list /disabling-or-limiting-github-actions-for-a-repository %}{% if currentVersion == "free-pro-team@latest" %}
{% link_in_list /enabling-or-disabling-github-discussions-for-a-repository %}{% endif %}
{% link_in_list /managing-git-lfs-objects-in-archives-of-your-repository %}
{% link_in_list /managing-security-and-analysis-settings-for-your-repository %}
{% link_in_list /enabling-anonymous-git-read-access-for-a-repository %}
{% link_in_list /configuring-autolinks-to-reference-external-resources %}
{% link_in_list /renaming-a-repository %}
@ -55,18 +56,3 @@ topics:
{% link_in_list /linking-to-releases %}
{% link_in_list /comparing-releases %}
{% link_in_list /automation-for-release-forms-with-query-parameters %}
{% topic_link_in_list /securing-your-repository %}
{% link_in_list /about-securing-your-repository %}
{% link_in_list /about-secret-scanning %}
{% link_in_list /configuring-secret-scanning-for-your-repositories %}
{% link_in_list /managing-alerts-from-secret-scanning %}
{% link_in_list /managing-security-and-analysis-settings-for-your-repository %}
{% topic_link_in_list /keeping-your-dependencies-updated-automatically %}
{% link_in_list /about-dependabot-version-updates %}
{% link_in_list /enabling-and-disabling-version-updates %}
{% link_in_list /listing-dependencies-configured-for-version-updates %}
{% link_in_list /managing-pull-requests-for-dependency-updates %}
{% link_in_list /managing-encrypted-secrets-for-dependabot %}
{% link_in_list /customizing-dependency-updates %}
{% link_in_list /configuration-options-for-dependency-updates %}
{% link_in_list /keeping-your-actions-up-to-date-with-dependabot %}

1
content/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request.md
Просмотреть файл

@ -6,6 +6,7 @@ versions:
topics:
- pull requests
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "Sign up for the dependency review beta" and "Reviewing dependency changes in a pull request".-->
{% note %}

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning.md
Просмотреть файл

@ -2,12 +2,8 @@
title: About code scanning
intro: 'You can use {% data variables.product.prodname_code_scanning %} to find security vulnerabilities and errors in the code for your project on {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/managing-security-vulnerabilities/about-automated-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

4
content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning.md
Просмотреть файл

@ -4,9 +4,7 @@ shortTitle: About integration
intro: 'You can perform {% data variables.product.prodname_code_scanning %} externally and then display the results in {% data variables.product.prodname_dotcom %}, or set up webhooks that listen to {% data variables.product.prodname_code_scanning %} activity in your repository.'
product: '{% data reusables.gated-features.code-scanning %}'
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

4
content/github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors.md
Просмотреть файл

@ -5,9 +5,7 @@ intro: 'You can find vulnerabilities and errors in your project''s code on {% da
mapTopic: true
product: '{% data reusables.gated-features.code-scanning %}'
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

4
content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning.md
Просмотреть файл

@ -5,9 +5,7 @@ product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_code_scanning %} for the repository.'
miniTocMaxHeadingLevel: 4
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-codeql-code-scanning-in-your-ci-system.md
Просмотреть файл

@ -4,12 +4,8 @@ shortTitle: Configuring in your CI
intro: 'You can configure how the {% data variables.product.prodname_codeql_runner %} scans the code in your project and uploads the results to {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
miniTocMaxHeadingLevel: 4
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

7
content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-workflow-for-compiled-languages.md
Просмотреть файл

@ -4,13 +4,8 @@ shortTitle: Configuring for compiled languages
intro: 'You can configure how {% data variables.product.prodname_dotcom %} uses the {% data variables.product.prodname_codeql_workflow %} to scan code written in compiled languages for vulnerabilities and errors.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have write permissions to a repository, you can configure {% data variables.product.prodname_code_scanning %} for that repository.'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-for-compiled-languages
- /github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-action-for-compiled-languages
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/index.md
Просмотреть файл

@ -2,12 +2,8 @@
title: Finding security vulnerabilities and errors in your code
shortTitle: Finding vulnerabilities and coding errors
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/managing-security-vulnerabilities/finding-security-vulnerabilities-in-your-projects-code
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/integrating-with-code-scanning.md
Просмотреть файл

@ -4,12 +4,8 @@ shortTitle: Integration
intro: 'You can integrate third-party code analysis tools with {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_code_scanning %} by uploading data as SARIF files.'
mapTopic: true
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

7
content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository.md
Просмотреть файл

@ -5,12 +5,7 @@ intro: 'From the security view, you can view, fix, {% if currentVersion == "ente
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have write permission to a repository you can manage {% data variables.product.prodname_code_scanning %} alerts for that repository.'
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
redirect_from:
- /github/managing-security-vulnerabilities/managing-alerts-from-automated-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning
enterprise-server: '2.22'
---
{% data reusables.code-scanning.beta %}

4
content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-a-container.md
Просмотреть файл

@ -4,9 +4,7 @@ shortTitle: '{% data variables.product.prodname_code_scanning_capc %} in a conta
intro: 'You can run {% data variables.product.prodname_code_scanning %} in a container by ensuring that all processes run in the same container.'
product: '{% data reusables.gated-features.code-scanning %}'
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system.md
Просмотреть файл

@ -3,12 +3,8 @@ title: Running CodeQL code scanning in your CI system
shortTitle: Running in your CI
intro: 'You can use the {% data variables.product.prodname_codeql_runner %} to perform {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} in a third-party continuous integration system.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning.md
Просмотреть файл

@ -3,12 +3,8 @@ title: SARIF support for code scanning
shortTitle: SARIF support
intro: 'To display results from a third-party static analysis tool in your repository on {% data variables.product.prodname_dotcom %}, you''ll need your results stored in a SARIF file that supports a specific subset of the SARIF 2.1.0 JSON schema for {% data variables.product.prodname_code_scanning %}. If you use the default {% data variables.product.prodname_codeql %} static analysis engine, then your results will display in your repository on {% data variables.product.prodname_dotcom %} automatically.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/about-sarif-support-for-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

8
content/github/finding-security-vulnerabilities-and-errors-in-your-code/setting-up-code-scanning-for-a-repository.md
Просмотреть файл

@ -4,14 +4,8 @@ shortTitle: Setting up code scanning
intro: 'You can set up {% data variables.product.prodname_code_scanning %} by adding a workflow to your repository.'
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have write permissions to a repository, you can set up or configure {% data variables.product.prodname_code_scanning %} for that repository.'
redirect_from:
- /github/managing-security-vulnerabilities/configuring-automated-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning
- /github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

4
content/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests.md
Просмотреть файл

@ -5,9 +5,7 @@ intro: 'When {% data variables.product.prodname_code_scanning %} identifies a pr
product: '{% data reusables.gated-features.code-scanning %}'
permissions: 'If you have read permission for a repository, you can see annotations on pull requests. With write permission, you can see detailed information and resolve {% data variables.product.prodname_code_scanning %} alerts for that repository.'
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-codeql-code-scanning-in-your-ci-system.md
Просмотреть файл

@ -3,12 +3,8 @@ title: Troubleshooting CodeQL code scanning in your CI system
shortTitle: Troubleshooting in your CI
intro: 'If you''re having problems with the {% data variables.product.prodname_codeql_runner %}, you can troubleshoot by using these tips.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning-in-your-ci-system
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md
Просмотреть файл

@ -3,12 +3,8 @@ title: Troubleshooting the CodeQL workflow
shortTitle: Troubleshooting CodeQL
intro: 'If you''re having problems with {% data variables.product.prodname_code_scanning %}, you can troubleshoot by using these tips for resolving issues.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

6
content/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github.md
Просмотреть файл

@ -4,12 +4,8 @@ shortTitle: Uploading a SARIF file
intro: '{% data reusables.code-scanning.you-can-upload-third-party-analysis %}'
permissions: 'People with write permissions to a repository can upload {% data variables.product.prodname_code_scanning %} data generated outside {% data variables.product.prodname_dotcom %}.'
product: '{% data reusables.gated-features.code-scanning %}'
redirect_from:
- /github/managing-security-vulnerabilities/uploading-a-code-scanning-analysis-to-github
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

4
content/github/finding-security-vulnerabilities-and-errors-in-your-code/using-codeql-code-scanning-with-your-existing-ci-system.md
Просмотреть файл

@ -5,9 +5,7 @@ intro: 'The {% data variables.product.prodname_codeql_runner %} allows you to us
mapTopic: true
product: '{% data reusables.gated-features.code-scanning %}'
versions:
free-pro-team: '*'
enterprise-server: '>=2.22'
github-ae: '*'
enterprise-server: '2.22'
topics:
- security
---

5
content/github/index.md
Просмотреть файл

@ -51,9 +51,10 @@ versions:
{% link_in_list /administering-a-repository %}
{% link_in_list /visualizing-repository-data-with-graphs %}
{% link_in_list /managing-security-vulnerabilities %}
{% link_in_list /finding-security-vulnerabilities-and-errors-in-your-code %}
{% if currentVersion == "enterprise-server@2.22" %}
{% link_in_list /managing-security-vulnerabilities %}
{% link_in_list /finding-security-vulnerabilities-and-errors-in-your-code %}{% endif %}
{% link_in_list /managing-files-in-a-repository %}

6
content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md
Просмотреть файл

@ -1,12 +1,8 @@
---
title: About alerts for vulnerable dependencies
intro: '{% data variables.product.product_name %} sends {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} when we detect vulnerabilities affecting your repository.'
redirect_from:
- /articles/about-security-alerts-for-vulnerable-dependencies
- /github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies
versions:
free-pro-team: '*'
enterprise-server: '*'
enterprise-server: '<=2.22'
topics:
- security
---

3
content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md
Просмотреть файл

@ -3,8 +3,7 @@ title: Configuring notifications for vulnerable dependencies
shortTitle: Configuring notifications
intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.'
versions:
free-pro-team: '*'
enterprise-server: '>=2.21'
enterprise-server: '>=2.21 <=2.22'
topics:
- security
---

23
content/github/managing-security-vulnerabilities/index.md
Просмотреть файл

@ -1,34 +1,13 @@
---
title: Managing security vulnerabilities
redirect_from:
- /categories/managing-security-vulnerabilities
versions:
free-pro-team: '*'
enterprise-server: '*'
enterprise-server: '<=2.22'
topics:
- security
---
### Table of Contents
{% topic_link_in_list /managing-security-vulnerabilities-in-your-project %}
{% link_in_list /adding-a-security-policy-to-your-repository %}
{% link_in_list /about-github-security-advisories %}
{% link_in_list /permission-levels-for-security-advisories %}
{% link_in_list /creating-a-security-advisory %}
{% link_in_list /adding-a-collaborator-to-a-security-advisory %}
{% link_in_list /removing-a-collaborator-from-a-security-advisory %}
{% link_in_list /collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability %}
{% link_in_list /publishing-a-security-advisory %}
{% link_in_list /editing-a-security-advisory %}
{% link_in_list /withdrawing-a-security-advisory %}
{% topic_link_in_list /managing-vulnerabilities-in-your-projects-dependencies %}
{% link_in_list /about-managing-vulnerable-dependencies %}
{% link_in_list /browsing-security-vulnerabilities-in-the-github-advisory-database %}
{% link_in_list /about-alerts-for-vulnerable-dependencies %}
{% link_in_list /configuring-notifications-for-vulnerable-dependencies %}
{% link_in_list /about-dependabot-security-updates %}
{% link_in_list /configuring-dependabot-security-updates %}
{% link_in_list /viewing-and-updating-vulnerable-dependencies-in-your-repository %}
{% link_in_list /troubleshooting-the-detection-of-vulnerable-dependencies %}
{% link_in_list /troubleshooting-dependabot-errors %}

10
content/github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project.md
Просмотреть файл

@ -1,10 +0,0 @@
---
title: Managing security vulnerabilities in your project
intro: 'You can discover, discuss, fix, and disclose security vulnerabilities in your repositories.'
mapTopic: true
redirect_from:
- /articles/managing-security-vulnerabilities-in-your-project
versions:
free-pro-team: '*'
---

8
content/github/managing-security-vulnerabilities/managing-vulnerabilities-in-your-projects-dependencies.md
Просмотреть файл

@ -2,14 +2,8 @@
title: Managing vulnerabilities in your project's dependencies
intro: 'You can track your repository''s dependencies and receive {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} when {% data variables.product.product_name %} detects vulnerable dependencies.'
mapTopic: true
redirect_from:
- /articles/updating-your-project-s-dependencies/
- /articles/updating-your-projects-dependencies/
- /articles/managing-security-vulnerabilities-in-your-projects-dependencies/
- /articles/managing-vulnerabilities-in-your-projects-dependencies
versions:
free-pro-team: '*'
enterprise-server: '*'
enterprise-server: '<=2.22'
topics:
- security
---

2
content/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization.md
Просмотреть файл

@ -145,7 +145,7 @@ In this section, you can find the repository permission levels required for secu
| [Designate additional people or teams to receive {% data variables.product.prodname_dependabot_alerts %}](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) for vulnerable dependencies | | | | | **X** |
| Create [security advisories](/github/managing-security-vulnerabilities/about-github-security-advisories) | | | | | **X** |{% endif %}{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" or currentVersion == "github-ae@latest" %}
| Manage access to {% data variables.product.prodname_GH_advanced_security %} features (see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization)") | | | | | **X** |{% endif %}{% if currentVersion == "free-pro-team@latest" %}
| [Enable the dependency graph](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-and-dependents-of-a-repository) for a private repository | | | | | **X** |
| [Enable the dependency graph](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository) for a private repository | | | | | **X** |
| [View dependency reviews](/github/collaborating-with-issues-and-pull-requests/reviewing-dependency-changes-in-a-pull-request) | **X** | **X** | **X** | **X** | **X** |{% endif %}{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" or currentVersion == "github-ae@latest" %}
| [View {% data variables.product.prodname_code_scanning %} alerts on pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests) | **X** | **X** | **X** | **X** | **X** |
| [List, dismiss, and delete {% data variables.product.prodname_code_scanning %} alerts](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository) | | | **X** | **X** | **X** |{% endif %}{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" or currentVersion == 'github-ae@next' %}

3
content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md
Просмотреть файл

@ -2,8 +2,7 @@
title: About the dependency graph
intro: 'Detailed information about the dependency graph, the ecosystems it supports, and how it determines which packages a repository depends on.'
versions:
free-pro-team: '*'
enterprise-server: '*'
enterprise-server: '<=2.22'
topics:
- repositories
---

9
content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md
Просмотреть файл

@ -1,15 +1,8 @@
---
title: Exploring the dependencies of a repository
intro: 'Using the dependency graph, you can see the packages your project depends on{% if currentVersion == "free-pro-team@latest" %} and the repositories that depend on it{% endif %}. In addition, you can see any vulnerabilities detected in its dependencies.'
redirect_from:
- /articles/listing-the-packages-that-a-repository-depends-on
- /github/visualizing-repository-data-with-graphs/listing-the-packages-that-a-repository-depends-on
- /articles/listing-the-projects-that-depend-on-a-repository
- /github/visualizing-repository-data-with-graphs/listing-the-projects-that-depend-on-a-repository
- /github/visualizing-repository-data-with-graphs/exploring-the-dependencies-and-dependents-of-a-repository
versions:
free-pro-team: '*'
enterprise-server: '*'
enterprise-server: '<=2.22'
topics:
- repositories
---

5
content/github/visualizing-repository-data-with-graphs/index.md
Просмотреть файл

@ -27,5 +27,6 @@ topics:
{% topic_link_in_list /understanding-connections-between-repositories %}
{% link_in_list /viewing-a-repositorys-network %}
{% link_in_list /listing-the-forks-of-a-repository %}
{% link_in_list /about-the-dependency-graph %}
{% link_in_list /exploring-the-dependencies-of-a-repository %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}{% link_in_list /viewing-the-dependencies-of-a-repository %}{% endif %}
{% if currentVersion ver_lt "enterprise-server@3.0" %}{% link_in_list /about-the-dependency-graph %}
{% link_in_list /exploring-the-dependencies-of-a-repository %}{% endif %}

13
content/github/visualizing-repository-data-with-graphs/viewing-the-dependencies-of-a-repository.md Normal file
Просмотреть файл

@ -0,0 +1,13 @@
---
title: Viewing the dependencies of a repository
intro: 'You can use the dependency graph to explore the code your repository depends on.'
versions:
free-pro-team: '*'
enterprise-server: '>=3.0'
---
Almost all software relies on code developed and maintained by other developers, often known as a supply chain. For example, utilities, libraries, and frameworks. These dependencies are an integral part of your code and any bugs or vulnerabilities in them may affect your code. It's important to review and maintain these dependencies.
The dependency graph provides a great way to visualize and explore the dependencies for a repository. For more information, see "[About the dependency graph](/code-security/supply-chain-security/about-the-dependency-graph)" and "[Exploring the dependencies of a repository](/code-security/supply-chain-security/exploring-the-dependencies-of-a-repository)."
You can also set up your repository so that {% data variables.product.company_short %} alerts you automatically whenever a security vulnerability is found in one of your dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)."

1
data/products.yml
Просмотреть файл

@ -5,6 +5,7 @@ productsInOrder:
- github
- admin
- discussions
- code-security
- actions
- packages
- developers

2
data/reusables/code-scanning/enabling-options.md
Просмотреть файл

@ -1,4 +1,4 @@
| <nobr>Type of analysis</nobr> | Options for generating alerts |
|------------------|-------------------------------|
| {% data variables.product.prodname_codeql %} | Using {% data variables.product.prodname_actions %} (see "[Setting up {% data variables.product.prodname_code_scanning %} using actions](/github/finding-security-vulnerabilities-and-errors-in-your-code/setting-up-code-scanning-for-a-repository#setting-up-code-scanning-using-actions)") or using the {% data variables.product.prodname_codeql_runner %} in a third-party continuous integration (CI) system (see "[Running code scanning in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system)").
| {% data variables.product.prodname_codeql %} | Using {% data variables.product.prodname_actions %} (see "[Setting up {% data variables.product.prodname_code_scanning %} using actions](/github/finding-security-vulnerabilities-and-errors-in-your-code/setting-up-code-scanning-for-a-repository#setting-up-code-scanning-using-actions)") or using the {% data variables.product.prodname_codeql_runner %} in a third-party continuous integration (CI) system (see "[Running {% data variables.product.prodname_codeql %} code scanning in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system)").
| Third&#8209;party | Using {% data variables.product.prodname_actions %} (see "[Setting up {% data variables.product.prodname_code_scanning %} using actions](/github/finding-security-vulnerabilities-and-errors-in-your-code/setting-up-code-scanning-for-a-repository#setting-up-code-scanning-using-actions)") or generated externally and uploaded to {% data variables.product.product_name %} (see "[Uploading a SARIF file to {% data variables.product.prodname_dotcom %}](/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github)").|

2
data/reusables/webhooks/repository_vulnerability_alert_short_desc.md
Просмотреть файл

@ -1 +1 @@
Activity related to security vulnerability alerts in a repository. {% data reusables.webhooks.action_type_desc %} For more information, see the "[About security alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies)".
Activity related to security vulnerability alerts in a repository. {% data reusables.webhooks.action_type_desc %} For more information, see the "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies/)".

2
tests/fixtures/article-with-broken-links-and-images.md поставляемый
Просмотреть файл

@ -20,7 +20,7 @@ This anchor is broken on all versions because it points to a heading that does n
This link is broken on Enterprise versions because it points to a Dotcom-only article: [GitHub's Products](/github/getting-started-with-github/githubs-products)
This link is OK because it points to a Dotcom-only article with the `dotcom-only` class: <a href="/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies" class="dotcom-only">About security alerts for vulnerable dependencies</a>."
This link is OK because it points to a Dotcom-only article with the `dotcom-only` class: <a href="/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies" class="dotcom-only">About alerts for vulnerable dependencies</a>."
This link is broken on Dotcom because it points to an Enterprise-only article: [Working with Pre-Receive Hooks](/github/collaborating-with-issues-and-pull-requests/working-with-pre-receive-hooks)