참고
사이트 관리자가 먼저 code scanning을 사용하도록 설정해야 이 기능을 사용할 수 있습니다. 자세한 내용은 어플라이언스에 대한 코드 스캐닝 구성을(를) 참조하세요.
엔터프라이즈 소유자가 엔터프라이즈 수준에서 GitHub Code Security 정책을 설정한 경우 code scanning을 사용하거나 사용하지 않도록 설정할 수 없습니다. 자세한 내용은 엔터프라이즈에 대한 코드 보안 및 분석을 위한 정책 적용을(를) 참조하세요.
As an alternative to running code scanning within GitHub using GitHub Actions, you can analyze code in an external continuous integration or continuous delivery/deployment (CI/CD) system, then upload the results to GitHub.
참고
code scanning으로 표시할 SARIF 데이터를 업로드하면 GitHub가 GitHub Code Security를 사용하도록 설정된 조직 소유 리포지토리. 자세한 내용은 리포지토리에 대한 보안 및 분석 설정 관리을(를) 참조하세요.
Setting up your analysis tool
You will first need to download your analysis tool of choice and set it up with your CI system.
If you are using the CodeQL CLI, you need to make the full contents of the CodeQL CLI bundle available to every CI server that you want to run CodeQL code scanning analysis on. For more information, see Setting up the CodeQL CLI.
Once you've made your analysis tool available to servers in your CI system, you're ready to generate data.
Analyzing code
To analyze code with the CodeQL CLI or another analysis tool, you will want to check out the code you want to analyze and set up the codebase environment, making sure that any dependencies are available. You may also want to find the build command for the codebase, typically available in your CI system's configuration file.
You can then complete the steps to analyze your codebase and produce results, which will differ based on the static analysis tool you are using.
If you are using the CodeQL CLI, you will first need to create a CodeQL database from your code, then analyze the database to produce SARIF results. For more information, see CodeQL 분석을 위한 코드 준비 and CodeQL 쿼리를 사용하여 코드 분석.
Generating a token for authentication with GitHub
Each CI server needs a GitHub App or personal access token to use to upload results to GitHub, whether you are using the CodeQL CLI, the REST API, or another method. You must use an access token or a GitHub App with the security_events write permission. If CI servers already use a token with this scope to checkout repositories from GitHub, you could potentially use the same token. Otherwise, you should create a new token with the security_events write permission and add this to the CI system's secret store. For information, see GitHub 앱 만들기 정보 and 개인용 액세스 토큰 관리.
For more information on the different methods for uploading results to GitHub, see Uploading a SARIF file to GitHub.
Uploading your results to GitHub
Once you have analyzed your code, produced SARIF results, and ensured you can authenticate with GitHub, you can upload the results to GitHub. For more information on the different methods you can use to upload your results, see Uploading a SARIF file to GitHub.
For specific details on uploading your results to GitHub using the CodeQL CLI, see CodeQL 분석 결과를 GitHub 업로드.
By default, code scanning expects one SARIF results file per analysis for a repository. Consequently, when you upload a second SARIF results file for a commit, it is treated as a replacement for the original set of data. You may want to upload two different SARIF files for one analysis if, for example, your analysis tool generates a different SARIF file for each language it analyzes or each set of rules it uses. If you want to upload more than one set of results for a commit in a repository, you must identify each set of results as a unique set. The way to specify a category for a SARIF upload varies according to the analysis method.