Use the tool status page for code scanning

View real-time tool status, identify configuration problems, and download reports to keep your code scanning analysis running smoothly.

¿Quién puede utilizar esta característica?

Usuarios con acceso de escritura

Code scanning está disponible para los tipos de repositorio siguientes:

  • Repositorios públicos en GitHub.com
  • Repositorios propiedad de la organización en GitHub Team, GitHub Enterprise Cloud, o GitHub Enterprise Server, con GitHub Code Security habilitados.

En este artículo

Nota:

El administrador del sitio debe habilitar code scanning antes de que puedas utilizar esta característica. Para más información, consulta Configuración la digitalización de código para el dispositivo.

Es posible que no puedas habilitar o deshabilitar code scanning si un propietario de una empresa ha establecido una directiva de GitHub Code Security en el nivel de la empresa. Para más información, consulta Aplicación de directivas de seguridad y análisis de código de la empresa.

The página de estado de la herramienta shows information about all of your code scanning tools and is a good starting point for debugging problems. For more information about what the tool is and the information it provides, see Acerca de la página de estado de la herramienta.

Viewing the página de estado de la herramienta for a repository

The code scanning alerts page for each repository includes a tools banner with a summary of the health of your code scanning analysis, and access to the página de estado de la herramienta to explore your setup.

  1. En GitHub, navegue hasta la página principal del repositorio.
  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.
    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.
  3. En la barra lateral de la izquierda, haz clic en Code scanning.
  4. Click Tool status in the tools banner.
    Screenshot showing how to access the tool status page from a repository. The "Tool status" button is highlighted in a dark orange outline.

Using the página de estado de la herramienta

In the página de estado de la herramienta, you'll see a summary for one tool, highlighted in the sidebar. You can use the sidebar to view summaries for different tools.

Screenshot showing the tool status page, with the CodeQL tool selected.

For integrated tools such as CodeQL, you can see a percentage total of all the files most recently scanned in your repository, organized by programming language. You can also download detailed language reports in CSV format. See Downloading details of the files analyzed.

Accessing detailed information about tools

When you want to see more detailed information for the currently displayed tool, you can select a specific setup under "Setup types".

Under "Configurations" on the left of the screen, you can see information for each analysis run by this setup type, and any relevant error messages. To see detailed information about the most recent analysis run, select a configuration in the sidebar. You can download details of exactly which rules were run in that scan of the code and how many alerts were found by each rule. For more information, see Downloading lists of rules used.

Screenshot showing detailed information about CodeQL in the tool status page.

This view will also show error messages. For more information, see Debugging using the tool status page.

Downloading details of the files analyzed

For integrated tools such as CodeQL, you can download detailed reports from the página de estado de la herramienta in CSV format. This will show:

  • Which configuration was used to scan each file
  • The file path
  • The programming language of the file
  • Whether the file was successfully extracted

To download a report, select a tool you're interested in. Then on the top right of the page, click the button.

Downloading lists of rules used

You can download the list of rules that code scanning is checking against, in CSV format. This will show:

  • The configuration used
  • The rule source
  • The SARIF identifier
  • How many alerts were found

To download a report, select a configuration you're interested in. Then click on the top right of the page, and select Download list of rules used.

Removing configurations

You can remove stale, duplicate, or unwanted configurations for the default branch of your repository.

To remove a configuration, select the configuration you want to delete. Then click on the top right of the page, and select Delete configuration. Once you have read the warning about alerts, to confirm the deletion, click the Delete button.

Nota:

You can only use the página de estado de la herramienta to remove configurations for the default branch of a repository. For information about removing configurations from non-default branches, see Resolución de alertas de análisis de código.

Debugging using the tool status page

If you see that there is a problem with your analysis from the code scanning alerts page, you can use the página de estado de la herramienta to identify the problem. For integrated tools, you can see specific error messages in the detailed information section, related to specific code scanning tools. These error messages contain information about why the tool may not be performing as expected, and actions you can take. For more information about how to access this section of the página de estado de la herramienta, see Accessing detailed information about tools.

For integrated tools such as CodeQL, you can also use file coverage information to improve your analysis. For more information about interpreting file coverage percentages, see Acerca de la página de estado de la herramienta.

For more information, see Solución de problemas de análisis de código and Solución de problemas de carga de archivos SARIF.