Versions Compared

Old Version 2

changes.mady.by.user venkata sai santosh kumar seeram

Saved on

compared with

New Version Current

changes.mady.by.user venkata sai santosh kumar seeram

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. On GitHub, navigate to the main page of the repository.
    Image RemovedImage Added
  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the  dropdown menu, and then click Security.
  3. In the left sidebar, click Code scanning.
  4. Optionally, use the free text search box or the dropdown menus to filter alerts. For example, you can filter by the tool that was used to identify alerts.
    Image RemovedImage Added
  5. Under "Code scanning," click the alert you'd like to explore to display the detailed alert page. The status and details on the alert page only reflect the state of the alert on the default branch of the repository, even if the alert exists in other branches. You can see the status of the alert on non-default branches in the Affected branchessection on the right-hand side of the alert page. If an alert doesn't exist in the default branch, the status of the alert will display as "in pull request" or "in branch" and will be colored grey. The Development section shows linked branches and pull requests that will fix the alert.

...

  1. Under the repository name, click  Security. If you cannot see the "Security" tab, select the  dropdown menu, and then click Security.
    Image RemovedImage Added
  1. In the left sidebar, click  Code scanning.
  2. Click the name of an alert.
  3. If Copilot Autofix can suggest a fix, at the top of the page, click  Generate fix.
  4. Once the suggested fix has been generated, at the bottom of the page, you can click Create PR with fix to automatically generate a pull request with the suggested fix. A new branch is created from the default branch, the generated fix is committed and a draft pull request is created. You can test and edit the suggested fix as you would with any other fix.

...

  1. On GitHub, navigate to the main page of the repository.
  2. Under the repository name, click  Security. If you cannot see the "Security" tab, select the  dropdown menu, and then click Security.
  3. In the left sidebar, click  Code scanning.
  4. If you want to dismiss an alert, it's important to explore the alert first, so that you can choose the correct dismissal reason. Click the alert you'd like to explore.
  5. Review the alert, then click Dismiss alert and choose, or type, a reason for closing the alert.
    Image RemovedImage Added

It's important to choose the appropriate reason from the drop-down menu as this may affect whether a query continues to be included in future analysis. Optionally, you can comment on a dismissal to record the context of an alert dismissal. The dismissal comment is added to the alert timeline and can be used as justification during auditing and reporting.

...

GitHub Copilot Autofix will suggest fixes for alerts from code scanning analysis (including CodeQL analysis) in repositories. For more information on working with suggestions from Copilot Autofix in pull requests, see Working with Copilot Autofix suggestions for alerts on a pull request.

Default setup for CodeQL

Default setup for code scanning is the quickest, easiest, most low-maintenance way to enable code scanning for your repository. Based on the code in your repository, default setup will automatically create a custom code scanning configuration. After enabling default setup, the code written in CodeQL-supported languages in your repository will be scanned:

  • On each push to the repository's default branch, or any protected branch. For more information on protected branches, see About protected branches.
  • When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.
  • On a weekly schedule.

Advanced setup for CodeQL

Advanced setup for code scanning is helpful when you need to customize your code scanning. By creating and editing a workflow file, you can define how to build compiled languages, choose which queries to run, select the languages to scan, use a matrix build, and more. You also have access to all the options for controlling workflows, for example: changing the scan schedule, defining workflow triggers, specifying specialist runners to use. For more information about GitHub Actions workflows, see Workflows.

Recommendations

When you are setting up code scanning for the first time, or across multiple repositories, it's best to use default setup. Default setup uses the simplest method available to generate a CodeQL database and analyze your code, so that you can start fixing alerts as soon as possible. Once you have resolved the initial alerts, you may want to switch to advanced setup with a manual build process for high risk repositories.