Introduction
Imagine that you're the GitHub administrator for a project and you want to make sure that the code doesn't include any security vulnerabilities or errors. It can be very time consuming to manually check your code base, especially if it's large. Your company just purchased a GitHub Advanced Security license that helps save time and effort by allowing you to use code scanning. With code scanning, you receive alerts indicating any problematic code, then you can quickly find the problem areas and make the necessary changes. In order to enable code scanning, you need to know what tools are available and what their features are. You also need to understand how often to perform code scanning and the types of events you can use to trigger scans.
This module introduces you to code scanning and its features. You'll learn how to implement code scanning using CodeQL, third-party tools, and GitHub Actions. You'll also learn about the different ways you can configure code scanning to optimize your experience.
Learning Objectives
After completing this module, you'll be able to:
- Describe code scanning.
- List the steps for enabling code scanning in a repository.
- List the steps for enabling code scanning with third-party analysis.
- Contrast how to implement CodeQL analysis in a GitHub Actions workflow versus a third-party continuous integration (CI) tool.
- Explain how to configure code scanning on a repository using triggering events.
- Contrast the frequency of code scanning workflows (scheduled vs triggered by events).
Prerequisites
- A GitHub account
- Familiarity with managing GitHub administrative settings
- Basic knowledge of GitHub Actions