diff --git a/assets/images/help/repository/code-scanning-check-failure.png b/assets/images/help/repository/code-scanning-check-failure.png new file mode 100644 index 000000000000..46488c5bb39f Binary files /dev/null and b/assets/images/help/repository/code-scanning-check-failure.png differ diff --git a/assets/images/help/repository/code-scanning-pr-alert.png b/assets/images/help/repository/code-scanning-pr-alert.png new file mode 100644 index 000000000000..a62a85215fc2 Binary files /dev/null and b/assets/images/help/repository/code-scanning-pr-alert.png differ diff --git a/assets/images/help/repository/code-scanning-pr-annotation.png b/assets/images/help/repository/code-scanning-pr-annotation.png new file mode 100644 index 000000000000..fc15573141ea Binary files /dev/null and b/assets/images/help/repository/code-scanning-pr-annotation.png differ diff --git a/content/actions/reference/workflow-syntax-for-github-actions.md b/content/actions/reference/workflow-syntax-for-github-actions.md index 269be12a6774..98a4e2efe9dd 100644 --- a/content/actions/reference/workflow-syntax-for-github-actions.md +++ b/content/actions/reference/workflow-syntax-for-github-actions.md @@ -948,7 +948,25 @@ jobs: #### **`jobs..container.image`** -The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a public docker registry name. +The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a {% if currentVersion != "free-pro-team@latest" and currentVersion ver_lt "enterprise-server@2.23" %}public{% endif %} registry name. + +{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %} +#### **`jobs..container.credentials`** + +{% data reusables.actions.registry-credentials %} + +##### Example + +{% raw %} +```yaml +container: + image: ghcr.io/owner/image + credentials: + username: ${{ github.actor }} + password: ${{ secrets.ghcr_token }} +``` +{% endraw %} +{% endif %} #### **`jobs..container.env`** @@ -1011,19 +1029,43 @@ services: - 6379/tcp ``` -#### **`jobs..services.image`** +#### **`jobs..services..image`** + +The Docker image to use as the service container to run the action. The value can be the Docker Hub image name or a {% if currentVersion != "free-pro-team@latest" and currentVersion ver_lt "enterprise-server@2.23" %}public{% endif %} registry name. -The Docker image to use as the service container to run the action. The value can be the Docker base image name or a public docker Hub or registry. +{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %} +#### **`jobs..services..credentials`** + +{% data reusables.actions.registry-credentials %} + +##### Example + +{% raw %} +```yaml +services: + myservice1: + image: ghcr.io/owner/myservice1 + credentials: + username: ${{ github.actor }} + password: ${{ secrets.ghcr_token }} + myservice2: + image: dockerhub_org/myservice2 + credentials: + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} +``` +{% endraw %} +{% endif %} -#### **`jobs..services.env`** +#### **`jobs..services..env`** Sets a `map` of environment variables in the service container. -#### **`jobs..services.ports`** +#### **`jobs..services..ports`** Sets an `array` of ports to expose on the service container. -#### **`jobs..services.volumes`** +#### **`jobs..services..volumes`** Sets an `array` of volumes for the service container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host. @@ -1042,7 +1084,7 @@ volumes: - /source/directory:/destination/directory ``` -#### **`jobs..services.options`** +#### **`jobs..services..options`** Additional Docker container resource options. For a list of options, see "[`docker create` options](https://docs.docker.com/engine/reference/commandline/create/#options)." diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning.md index c1e1972bded8..5e829c143837 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning.md @@ -18,7 +18,7 @@ versions: You can use {{ site.data.variables.product.prodname_code_scanning }} to find, triage, and prioritize fixes for existing problems in your code. {{ site.data.variables.product.prodname_code_scanning_capc }} also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push. -If {{ site.data.variables.product.prodname_code_scanning }} finds a potential vulnerability or error in your code, {{ site.data.variables.product.prodname_dotcom }} displays an alert in the repository. After you fix the code that triggered the alert, {{ site.data.variables.product.prodname_dotcom }} closes the alert. For more information, see "[Managing alerts from {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning)." +If {{ site.data.variables.product.prodname_code_scanning }} finds a potential vulnerability or error in your code, {{ site.data.variables.product.prodname_dotcom }} displays an alert in the repository. After you fix the code that triggered the alert, {{ site.data.variables.product.prodname_dotcom }} closes the alert. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." To monitor results from {{ site.data.variables.product.prodname_code_scanning }} across your repositories or your organization, you can use the {{ site.data.variables.product.prodname_code_scanning }} API. For more information about API endpoints, see "[{{ site.data.variables.product.prodname_code_scanning_capc }}](/v3/code-scanning)." diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning.md index a33b5f7315d3..f8721a8a5f09 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning.md @@ -11,7 +11,7 @@ versions: {{ site.data.reusables.code-scanning.beta }} {{ site.data.reusables.code-scanning.enterprise-enable-code-scanning }} -As an alternative to running {{ site.data.variables.product.prodname_code_scanning }} within {{ site.data.variables.product.prodname_dotcom }}, you can perform analysis elsewhere and then upload the results. Alerts for {{ site.data.variables.product.prodname_code_scanning }} that you run externally are displayed in the same way as those for {{ site.data.variables.product.prodname_code_scanning }} that you run within {{ site.data.variables.product.prodname_dotcom }}. For more information, see "[Managing alerts from code scanning](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning)." +As an alternative to running {{ site.data.variables.product.prodname_code_scanning }} within {{ site.data.variables.product.prodname_dotcom }}, you can perform analysis elsewhere and then upload the results. Alerts for {{ site.data.variables.product.prodname_code_scanning }} that you run externally are displayed in the same way as those for {{ site.data.variables.product.prodname_code_scanning }} that you run within {{ site.data.variables.product.prodname_dotcom }}. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." You can use your continuous integration or continuous delivery/deployment (CI/CD) system to run {{ site.data.variables.product.prodname_dotcom }}'s {{ site.data.variables.product.prodname_codeql }} analysis and upload the results to {{ site.data.variables.product.prodname_dotcom }}. This is an alternative to using {{ site.data.variables.product.prodname_actions }} to run {{ site.data.variables.product.prodname_codeql }} analysis. For more information, see "[Running code scanning in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system)." diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system.md index 19e0e722f58d..22a75d67889c 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system.md @@ -94,7 +94,7 @@ If the `autobuild` command can't build your code, you can run the build steps yo By default, the {{ site.data.variables.product.prodname_codeql_runner }} uploads results from {{ site.data.variables.product.prodname_code_scanning }} when you run the `analyze` command. You can also upload SARIF files separately, by using the `upload` command. -Once you've uploaded the data, {{ site.data.variables.product.prodname_dotcom }} displays the alerts in your repository. For more information, see "[Managing alerts from code scanning](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning#viewing-an-alert)." +Once you've uploaded the data, {{ site.data.variables.product.prodname_dotcom }} displays the alerts in your repository. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert)." ### {{ site.data.variables.product.prodname_codeql_runner }} command reference diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository.md index c2756078459b..5a2ec4bace0a 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository.md @@ -45,5 +45,5 @@ After you commit the workflow file or create a pull request, {{ site.data.variab After you enable {{ site.data.variables.product.prodname_code_scanning }}, you can monitor analysis, view results, and further customize how you scan your code. - You can view the run status of {{ site.data.variables.product.prodname_code_scanning }} and get notifications for completed runs. For more information, see "[Managing a workflow run](/actions/configuring-and-managing-workflows/managing-a-workflow-run)" and "[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications#github-actions-notification-options)." -- After a scan completes, you can view alerts from a completed scan. For more information, see "[Managing alerts from {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning)." +- After a scan completes, you can view alerts from a completed scan. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." - You can customize how {{ site.data.variables.product.prodname_code_scanning }} scans the code in your repository. For more information, see "[Configuring code scanning](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning)." diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/index.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/index.md index c52b3d81a92c..034c29697731 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/index.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/index.md @@ -11,8 +11,9 @@ versions: {% topic_link_in_list /automatically-scanning-your-code-for-vulnerabilities-and-errors %} {% link_in_list /about-code-scanning %} + {% link_in_list /triaging-code-scanning-alerts-in-pull-requests %} {% link_in_list /enabling-code-scanning-for-a-repository %} - {% link_in_list /managing-alerts-from-code-scanning %} + {% link_in_list /managing-code-scanning-alerts-for-your-repository %} {% link_in_list /configuring-code-scanning %} {% link_in_list /configuring-the-codeql-workflow-for-compiled-languages %} {% link_in_list /troubleshooting-the-codeql-workflow %} diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning.md deleted file mode 100644 index 91741b619555..000000000000 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Managing alerts from code scanning -shortTitle: Managing alerts -intro: 'You can view, fix, and close alerts for potential vulnerabilities or errors in your project''s code.' -product: '{{ site.data.reusables.gated-features.code-scanning }}' -permissions: 'People with write permissions to a repository can manage {{ site.data.variables.product.prodname_code_scanning }} alerts for the repository.' -redirect_from: - - /github/managing-security-vulnerabilities/managing-alerts-from-automated-code-scanning -versions: - free-pro-team: '*' - enterprise-server: '>=2.22' ---- - -{{ site.data.reusables.code-scanning.beta }} -{{ site.data.reusables.code-scanning.enterprise-enable-code-scanning }} - -### About alerts from {{ site.data.variables.product.prodname_code_scanning }} - -After you enable {{ site.data.variables.product.prodname_code_scanning }}, {{ site.data.variables.product.prodname_dotcom }} displays {{ site.data.variables.product.prodname_code_scanning }} alerts in your repository. For more information, see "[Enabling {{ site.data.variables.product.prodname_code_scanning }} for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository)." - -Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the severity and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by {{ site.data.variables.product.prodname_codeql }} analysis, you will also see information on how to fix the problem. - -![Example alert from {{ site.data.variables.product.prodname_code_scanning }}](/assets/images/help/repository/code-scanning-alert.png) - -If you won't take the action that the alert recommends, you can close the alert manually. For example, you can close an alert for code that's used for testing, or if you believe the alert is a false positive. You might also want to close an alert if the effort of fixing the coding error is greater than the potential benefit of improving the code. - -By default, {{ site.data.variables.product.prodname_dotcom }} displays alerts for the default branch and any protected branches. You can sort and filter the list of alerts to see only the alerts you're interested in. - -You can see the alerts introduced in a pull request, and take immediate action. When {{ site.data.variables.product.prodname_code_scanning }} finds vulnerabilities or errors in a pull request, {{ site.data.variables.product.prodname_dotcom }} displays annotations in the timeline and the diff views of the pull request. - -If you enable {{ site.data.variables.product.prodname_code_scanning }} using {{ site.data.variables.product.prodname_codeql }}, this can also detect data-flow problems in your code. Data-flow analysis finds potential security issues in code, such as: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information. - -When {{ site.data.variables.product.prodname_code_scanning }} reports data-flow alerts, {{ site.data.variables.product.prodname_dotcom }} shows you how data moves through the code. {{ site.data.variables.product.prodname_code_scanning_capc }} allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users. - -{{ site.data.reusables.code-scanning.you-can-upload-third-party-analysis }} {{ site.data.reusables.code-scanning.get-started-uploading-third-party-data }} - -If you scan your code using a third-party tool or scan your code with custom {{ site.data.variables.product.prodname_codeql }} queries, {{ site.data.variables.product.prodname_dotcom }} will only use the supported SARIF 2.1.0 properties to display alerts. Results from third-party tools or custom queries may not include all of the properties that you see when you scan your code using {{ site.data.variables.product.company_short }}'s default {{ site.data.variables.product.prodname_codeql }} queries. For more information, see "[SARIF support for {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning)." - -### Viewing an alert - -{{ site.data.reusables.repositories.navigate-to-repo }} -{{ site.data.reusables.repositories.sidebar-security }} -{{ site.data.reusables.repositories.sidebar-code-scanning-alerts }} -{{ site.data.reusables.code-scanning.click-alert-in-list }} -5. Optionally, if the alert highlights a problem with data flow, click **Show paths** to review the data's path. - ![Example data-flow alert](/assets/images/help/repository/code-scanning-show-paths.png) - -### Closing an alert - -{{ site.data.reusables.repositories.navigate-to-repo }} -{{ site.data.reusables.repositories.sidebar-security }} -{{ site.data.reusables.repositories.sidebar-code-scanning-alerts }} -{{ site.data.reusables.code-scanning.click-alert-in-list }} -5. Use the "Close" drop-down, and click a reason for closing the alert. - ![Choosing reason for closing the alert via the "Close" drop-down](/assets/images/help/repository/code-scanning-alert-close-drop-down.png) - -### Further reading - -- "[Running code scanning in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system)" -- "[{{ site.data.variables.product.prodname_code_scanning_capc }} API](/v3/code-scanning)" diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository.md new file mode 100644 index 000000000000..aec511556e8d --- /dev/null +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository.md @@ -0,0 +1,66 @@ +--- +title: Managing code scanning alerts for your repository +shortTitle: Managing alerts +intro: 'You can view, fix, and close alerts for potential vulnerabilities or errors in your project''s code.' +product: '{{ site.data.reusables.gated-features.code-scanning }}' +permissions: 'People with write permission to a repository can manage {{ site.data.variables.product.prodname_code_scanning }} alerts for the repository.' +versions: + free-pro-team: '*' + enterprise-server: '>=2.22' +redirect_from: + - /github/managing-security-vulnerabilities/managing-alerts-from-automated-code-scanning + - /github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning +--- + +{{ site.data.reusables.code-scanning.beta }} +{{ site.data.reusables.code-scanning.enterprise-enable-code-scanning }} + +### About alerts from {{ site.data.variables.product.prodname_code_scanning }} + +You can set up {{ site.data.variables.product.prodname_code_scanning }} to check the code in a repository using the default {{ site.data.variables.product.prodname_codeql }} analysis, a third-party analysis, or multiple types of analysis. When the analysis is complete, the resulting alerts are displayed alongside each other in the security view of the repository. Results from third-party tools or from custom queries may not include all of the properties that you see for alerts detected by {{ site.data.variables.product.company_short }}'s default {{ site.data.variables.product.prodname_codeql }} analysis. For more information, see "[Enabling {{ site.data.variables.product.prodname_code_scanning }} for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository)." + +By default, {{ site.data.variables.product.prodname_code_scanning }} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[Triaging {{ site.data.variables.product.prodname_code_scanning }} alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)." + +### About alerts details + +Each alert highlights a problem with the code and the name of the tool that identified it. You can see the line of code that triggered the alert, as well as properties of the alert, such as the severity and the nature of the problem. Alerts also tell you when the issue was first introduced. For alerts identified by {{ site.data.variables.product.prodname_codeql }} analysis, you will also see information on how to fix the problem. + +![Example alert from {{ site.data.variables.product.prodname_code_scanning }}](/assets/images/help/repository/code-scanning-alert.png) + +If you enable {{ site.data.variables.product.prodname_code_scanning }} using {{ site.data.variables.product.prodname_codeql }}, this can also detect data-flow problems in your code. Data-flow analysis finds potential security issues in code, such as: using data insecurely, passing dangerous arguments to functions, and leaking sensitive information. + +When {{ site.data.variables.product.prodname_code_scanning }} reports data-flow alerts, {{ site.data.variables.product.prodname_dotcom }} shows you how data moves through the code. {{ site.data.variables.product.prodname_code_scanning_capc }} allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users. + +### Viewing an alert + +Anyone with read permission for a repository can see {{ site.data.variables.product.prodname_code_scanning }} alerts on pull requests. However, you need write permission to view a summary of alerts for repository on the **Security** tab. By default, alerts are shown for the default branch. + +{{ site.data.reusables.repositories.navigate-to-repo }} +{{ site.data.reusables.repositories.sidebar-security }} +{{ site.data.reusables.repositories.sidebar-code-scanning-alerts }} +{{ site.data.reusables.code-scanning.click-alert-in-list }} +5. Optionally, if the alert highlights a problem with data flow, click **Show paths** to display the path from the data source to the sink where it's used. + ![Example data-flow alert](/assets/images/help/repository/code-scanning-show-paths.png) + +### Fixing an alert + +Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {{ site.data.variables.product.prodname_code_scanning }} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {{ site.data.variables.product.prodname_code_scanning }} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[Configuring {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning)" and "[Triaging {{ site.data.variables.product.prodname_code_scanning }} alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)." + +### Closing an alert + +Closing an alert is a way to resolve an alert that you don't think needs to be fixed. {{ site.data.reusables.code-scanning.close-alert-examples }} + +{{ site.data.reusables.repositories.navigate-to-repo }} +{{ site.data.reusables.repositories.sidebar-security }} +{{ site.data.reusables.repositories.sidebar-code-scanning-alerts }} +{{ site.data.reusables.code-scanning.click-alert-in-list }} +5. Select the Close drop-down menu and click a reason for closing the alert. + ![Choosing reason for closing the alert via the Close drop-down](/assets/images/help/repository/code-scanning-alert-close-drop-down.png) + +{{ site.data.reusables.code-scanning.false-positive-fix-codeql }} + +### Further reading + +- "[Triaging {{ site.data.variables.product.prodname_code_scanning }} alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)" +- "[Enabling {{ site.data.variables.product.prodname_code_scanning }} for a repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository)" +- "[About integration with {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/about-integration-with-code-scanning)" diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system.md index f22e4fb2b20a..6ece0ea9f8c4 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system.md @@ -93,7 +93,7 @@ This example runs {{ site.data.variables.product.prodname_codeql }} analysis on > Successfully uploaded results ``` -The server has access to download the {{ site.data.variables.product.prodname_codeql }} bundle directly from the `github/codeql-action` repository on {{ site.data.variables.product.prodname_dotcom_the_website}}{% if currentVersion != "free-pro-team@latest" %} or mirrored on {{ site.data.variables.product.product_location }}{% endif %}, so there is no need to use the `--codeql-path` flag. When the analysis is complete, the {{ site.data.variables.product.prodname_codeql_runner }} uploads the results to the {{ site.data.variables.product.prodname_code_scanning }} view. For more information, see "[Managing alerts from {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning)." +The server has access to download the {{ site.data.variables.product.prodname_codeql }} bundle directly from the `github/codeql-action` repository on {{ site.data.variables.product.prodname_dotcom_the_website}}{% if currentVersion != "free-pro-team@latest" %} or mirrored on {{ site.data.variables.product.product_location }}{% endif %}, so there is no need to use the `--codeql-path` flag. When the analysis is complete, the {{ site.data.variables.product.prodname_codeql_runner }} uploads the results to the {{ site.data.variables.product.prodname_code_scanning }} view. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." #### Compiled language example diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning.md index 98cadc8bc41b..166acb8768ae 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning.md @@ -21,7 +21,7 @@ To upload a SARIF file from a third-party static code analysis engine, you'll ne If you're using {{ site.data.variables.product.prodname_actions}} with the {{ site.data.variables.product.prodname_codeql_workflow }} or using the {{ site.data.variables.product.prodname_codeql_runner }}, then the {{ site.data.variables.product.prodname_code_scanning }} results will automatically use the supported subset of SARIF 2.1.0. For more information, see "[Enabling {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning)" or "[Running code scanning in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system)." -{{ site.data.variables.product.prodname_dotcom }} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {{ site.data.variables.product.prodname_code_scanning }} alert. The `location` allows {{ site.data.variables.product.prodname_dotcom }} to show annotations in your code file. For more information, see "[Managing alerts from {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning)." +{{ site.data.variables.product.prodname_dotcom }} uses properties in the SARIF file to display alerts. For example, the `shortDescription` and `fullDescription` appear at the top of a {{ site.data.variables.product.prodname_code_scanning }} alert. The `location` allows {{ site.data.variables.product.prodname_dotcom }} to show annotations in your code file. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." If you're new to SARIF and want to learn more, see Microsoft's [`SARIF tutorials`](https://github.com/microsoft/sarif-tutorials) repository. @@ -125,38 +125,47 @@ This SARIF output file has example values to show the minimum required propertie ```json { - "$schema" : "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", - "version" : "2.1.0", - "runs" : - [ - { - "tool" : { - "driver" : { - "name" : "Tool Name" - } - }, - "results" : [ { - "message" : { - "text" : "Result text. This result does not have a rule associated." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "src/build.cmd" - }, - "region" : { - "startLine" : 2, - "startColumn" : 7, - "endColumn" : 10 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "39fa2ee980eb94b0:1" - } - }] - } - ] + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Tool Name", + "rules": [ + { + "id": "R01" + } + ] + } + }, + "results": [ + { + "ruleId": "R01", + "message": { + "text": "Result text. This result does not have a rule associated." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "fileURI" + }, + "region": { + "startLine": 2, + "startColumn": 7, + "endColumn": 10 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "39fa2ee980eb94b0:1" + } + } + ] + } + ] } ``` @@ -176,7 +185,7 @@ This SARIF output file has example values to show all supported SARIF properties "semanticVersion": "2.0.0", "rules": [ { - "id": "js/unused-local-variable", + "id": "3f292041e51d22005ce48f39df3585d44ce1b0ad", "name": "js/unused-local-variable", "shortDescription": { "text": "Unused variable, import, function or class" @@ -195,7 +204,7 @@ This SARIF output file has example values to show all supported SARIF properties } }, { - "id": "js/inconsistent-use-of-new", + "id": "d5b664aefd5ca4b21b52fdc1d744d7d6ab6886d0", "name": "js/inconsistent-use-of-new", "shortDescription": { "text": "Inconsistent use of 'new'" @@ -203,7 +212,6 @@ This SARIF output file has example values to show all supported SARIF properties "fullDescription": { "text": "If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'." }, - "defaultConfiguration": null, "properties": { "tags": [ "reliability", @@ -212,13 +220,16 @@ This SARIF output file has example values to show all supported SARIF properties ], "precision": "very-high" } + }, + { + "id": "R01" } ] } }, "results": [ { - "ruleId": "js/unused-local-variable", + "ruleId": "3f292041e51d22005ce48f39df3585d44ce1b0ad", "ruleIndex": 0, "message": { "text": "Unused variable foo." @@ -228,8 +239,7 @@ This SARIF output file has example values to show all supported SARIF properties "physicalLocation": { "artifactLocation": { "uri": "main.js", - "uriBaseId": "%SRCROOT%", - "index": 0 + "uriBaseId": "%SRCROOT%" }, "region": { "startLine": 2, @@ -245,7 +255,7 @@ This SARIF output file has example values to show all supported SARIF properties } }, { - "ruleId": "js/inconsistent-use-of-new", + "ruleId": "d5b664aefd5ca4b21b52fdc1d744d7d6ab6886d0", "ruleIndex": 1, "message": { "text": "Function resolvingPromise is sometimes invoked as a constructor (for example [here](1)), and sometimes as a normal function (for example [here](2))." @@ -254,8 +264,8 @@ This SARIF output file has example values to show all supported SARIF properties { "physicalLocation": { "artifactLocation": { - "uri": "https://github.com/github/example/blob/0000000000000000000000000000000000000000/src/promiseUtils.js", - "index": 1 + "uri": "src/promises.js", + "uriBaseId": "%SRCROOT%" }, "region": { "startLine": 2 @@ -273,8 +283,7 @@ This SARIF output file has example values to show all supported SARIF properties "physicalLocation": { "artifactLocation": { "uri": "src/ParseObject.js", - "uriBaseId": "%SRCROOT%", - "index": 3 + "uriBaseId": "%SRCROOT%" }, "region": { "startLine": 2281, @@ -291,8 +300,7 @@ This SARIF output file has example values to show all supported SARIF properties "physicalLocation": { "artifactLocation": { "uri": "src/LiveQueryClient.js", - "uriBaseId": "%SRCROOT%", - "index": 2 + "uriBaseId": "%SRCROOT%" }, "region": { "startLine": 166 @@ -305,6 +313,7 @@ This SARIF output file has example values to show all supported SARIF properties ] }, { + "ruleId": "R01", "message": { "text": "Specifying both [ruleIndex](1) and [ruleID](2) might lead to inconsistencies." }, @@ -314,8 +323,7 @@ This SARIF output file has example values to show all supported SARIF properties "physicalLocation": { "artifactLocation": { "uri": "full.sarif", - "uriBaseId": "%SRCROOT%", - "index": 0 + "uriBaseId": "%SRCROOT%" }, "region": { "startLine": 54, @@ -409,12 +417,6 @@ This SARIF output file has example values to show all supported SARIF properties } } ], - "newlineSequences": [ - "\r\n", - "\n", - "", - "" - ], "columnKind": "utf16CodeUnits" } ] diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests.md new file mode 100644 index 000000000000..573f3d919dab --- /dev/null +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests.md @@ -0,0 +1,49 @@ +--- +title: Triaging code scanning alerts in pull requests +shortTitle: Triaging alerts in pull requests +intro: 'When {{ site.data.variables.product.prodname_code_scanning }} identifies a problem in a pull request, you can review the highlighted code and resolve the alert.' +product: '{{ site.data.reusables.gated-features.code-scanning }}' +permissions: 'People with write permission to a repository can resolve {{ site.data.variables.product.prodname_code_scanning }} alerts.' +versions: + free-pro-team: '*' + enterprise-server: '>=2.22' +--- + +{{ site.data.reusables.code-scanning.beta }} +{{ site.data.reusables.code-scanning.enterprise-enable-code-scanning-actions }} + +### About {{ site.data.variables.product.prodname_code_scanning }} results on pull requests + +In repositories where {{ site.data.variables.product.prodname_code_scanning }} is configured as a pull request check, {{ site.data.variables.product.prodname_code_scanning }} checks the code in the pull request. By default, this is limited to pull requests that target the default branch or protected branches, but you can change this configuration within {{ site.data.variables.product.prodname_actions }} or in a third-party CI/CD system. If merging the changes would introduce new {{ site.data.variables.product.prodname_code_scanning }} alerts to the target branch, these are reported as check results in the pull request. The alerts are also shown as annotations in the **Files changed** tab of the pull request. If you have write permission for the repository, you can see any existing {{ site.data.variables.product.prodname_code_scanning }} alerts on the **Security** tab. For information about repository alerts, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." + +If {{ site.data.variables.product.prodname_code_scanning }} has any results with a severity of `error`, the check fails and the error is reported in the check results. If all the results found by {{ site.data.variables.product.prodname_code_scanning }} have lower severities, the alerts are treated as warnings or notices and the check succeeds. If your pull request targets a protected branch, and the repository owner has configured required status checks, then you must either fix or close any error alerts before the pull request can be merged. For more information, see "[About required status checks](/github/administering-a-repository/about-required-status-checks)." + +![Example pull request check status with {{ site.data.variables.product.prodname_code_scanning }} alert](/assets/images/help/repository/code-scanning-check-failure.png) + +### About {{ site.data.variables.product.prodname_code_scanning }} as a pull request check + +There are many options for configuring {{ site.data.variables.product.prodname_code_scanning }} as a pull request check, so the exact setup of each repository will vary and some will have more than one check. The check that contains the results of {{ site.data.variables.product.prodname_code_scanning }} is: **Code scanning results**. + +If the repository uses the {{ site.data.variables.product.prodname_codeql_workflow }} a **{{ site.data.variables.product.prodname_codeql }} / Analyze (LANGUAGE)** check is run for each language before the results check runs. The analysis check may fail if there are configuration problems, or if the pull request breaks the build for a language that the analysis needs to compile (for example, C/C++, C#, or Java). As with other pull request checks, you can see full details of the check failure on the **Checks** tab. For more information about configuring and troubleshooting, see "[Configuring {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning)" or "[Troubleshooting {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning)." + +### Triaging an alert on your pull request + +When you look at the **Files changed** tab for a pull request, you see annotations for any lines of code that triggered the alert. + +![Example {{ site.data.variables.product.prodname_code_scanning }} alert shown as an annotation in the "Files changed" view of a pull request](/assets/images/help/repository/code-scanning-pr-annotation.png) + +Some annotations contain links with extra context for the alert. In the example above, from {{ site.data.variables.product.prodname_codeql }} analysis, you can click **user-provided value** to see where the untrusted data enters the data flow (this is referred to as the source). In this case you can view the full path from the source to the code that uses the data (the sink) by clicking **Show paths**. This makes it easy to check whether the data is untrusted or if the analysis failed to recognize a data sanitization step between the source and the sink. For information about analyzing data flow using {{ site.data.variables.product.prodname_codeql }}, see "[About data flow analysis](https://help.semmle.com/QL/learn-ql/intro-to-data-flow.html)." + +For more information about an alert, click **Show more details** on the annotation. This allows you to see all of the context and metadata provided by the tool in an alert view. In the example below, you can see tags showing the severity, type, and relevant common weakness enumerations (CWEs) for the problem. The view also shows which commit introduced the problem. + +Alerts from some tools, like {{ site.data.variables.product.prodname_codeql }}, also include a description and a **Show more** link for guidance on how to fix the problem in the code. + +![Example of "Show more details" for a {{ site.data.variables.product.prodname_code_scanning }} alert in a pull request](/assets/images/help/repository/code-scanning-pr-alert.png) + +### Resolving an alert on your pull request + +Anyone with write permission for a repository can resolve alerts on a pull request. If you commit changes to the pull request this triggers a new run of the pull request checks. If your changes fix the problem, the alert is resolved and the annotation removed. + +If you don't think that an alert needs to be fixed, you can close the alert manually. {{ site.data.reusables.code-scanning.close-alert-examples }} The **Close** button is available in annotations and in the alerts view if you have write permission for the repository. + +{{ site.data.reusables.code-scanning.false-positive-fix-codeql }} diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md index 601b000049d9..75c2b36efab8 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md @@ -57,6 +57,7 @@ If your workflow fails with an error `No source code was seen during the build` # ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] language: ['go', 'javascript'] ``` +For more information, see the workflow extract in "[Automatic build for a compiled language fails](#automatic-build-for-a-compiled-language-fails)" above. 1. Your {{ site.data.variables.product.prodname_code_scanning }} workflow is analyzing a compiled language (C, C++, C#, or Java), but the code was not compiled. By default, the {{ site.data.variables.product.prodname_codeql }} analysis workflow contains an `autobuild` step, however, this step represents a best effort process, and may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about specifying build steps, see "[Configuring the {{ site.data.variables.product.prodname_codeql }} workflow for compiled languages](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-workflow-for-compiled-languages#adding-build-steps-for-a-compiled-language)." 1. Your workflow is analyzing a compiled language (C, C++, C#, or Java), but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {{ site.data.variables.product.prodname_codeql }} observes the activity of the compiler to understand the data flows in a repository, {{ site.data.variables.product.prodname_codeql }} requires a complete build to take place in order to perform analysis. 1. Your workflow is analyzing a compiled language (C, C++, C#, or Java), but compilation does not occur between the `init` and `analyze` steps in the workflow. {{ site.data.variables.product.prodname_codeql }} requires that your build happens in between these two steps in order to observe the activity of the compiler and perform analysis. @@ -99,7 +100,7 @@ If you use self-hosted runners to run {{ site.data.variables.product.prodname_co #### Use matrix builds to parallelize the analysis -The default {{ site.data.variables.product.prodname_codeql_workflow }} uses a build matrix of languages, which causes the analysis of each language to run in parallel. If you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. To speed up analysis of multiple languages, modify your workflow to use a matrix. For more information, see "[Managing complex workflows](/actions/learn-github-actions/managing-complex-workflows/#using-a-build-matrix)." +The default {{ site.data.variables.product.prodname_codeql_workflow }} uses a build matrix of languages, which causes the analysis of each language to run in parallel. If you have specified the languages you want to analyze directly in the "Initialize CodeQL" step, analysis of each language will happen sequentially. To speed up analysis of multiple languages, modify your workflow to use a matrix. For more information, see the workflow extract in "[Automatic build for a compiled language fails](#automatic-build-for-a-compiled-language-fails)" above. #### Reduce the amount of code being analyzed in a single workflow diff --git a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github.md b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github.md index f3e6d78cf1cf..81111282db98 100644 --- a/content/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github.md +++ b/content/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github.md @@ -16,7 +16,7 @@ versions: ### About SARIF file uploads for {{ site.data.variables.product.prodname_code_scanning }} -{{ site.data.variables.product.prodname_dotcom }} creates {{ site.data.variables.product.prodname_code_scanning }} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {{ site.data.variables.product.prodname_actions }}. For more information, see "[Managing alerts from {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-alerts-from-code-scanning)." +{{ site.data.variables.product.prodname_dotcom }} creates {{ site.data.variables.product.prodname_code_scanning }} alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or {{ site.data.variables.product.prodname_actions }}. For more information, see "[Managing {{ site.data.variables.product.prodname_code_scanning }} alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository)." You can generate SARIF files using many static analysis security testing tools, including {{ site.data.variables.product.prodname_codeql }}. The results must use SARIF version 2.1.0. For more information, see "[About SARIF support for {{ site.data.variables.product.prodname_code_scanning }}](/github/finding-security-vulnerabilities-and-errors-in-your-code/about-sarif-support-for-code-scanning)." diff --git a/data/reusables/actions/registry-credentials.md b/data/reusables/actions/registry-credentials.md new file mode 100644 index 000000000000..829539de7800 --- /dev/null +++ b/data/reusables/actions/registry-credentials.md @@ -0,0 +1 @@ +If the image's container registry requires authentication to pull the image, you can use `credentials` to set a `map` of the `username` and `password`. The credentials are the same values that you would provide to the [`docker login`](https://docs.docker.com/engine/reference/commandline/login/) command. diff --git a/data/reusables/code-scanning/click-alert-in-list.md b/data/reusables/code-scanning/click-alert-in-list.md index 124ef024f0df..cba8e7ce2cdd 100644 --- a/data/reusables/code-scanning/click-alert-in-list.md +++ b/data/reusables/code-scanning/click-alert-in-list.md @@ -1,2 +1,2 @@ -1. Under "Code scanning", click the alert you'd like to view. +1. Under "Code scanning," click the alert you'd like to explore. ![List of alerts from {{ site.data.variables.product.prodname_code_scanning }}](/assets/images/help/repository/code-scanning-click-alert.png) diff --git a/data/reusables/code-scanning/close-alert-examples.md b/data/reusables/code-scanning/close-alert-examples.md new file mode 100644 index 000000000000..1b416f621da2 --- /dev/null +++ b/data/reusables/code-scanning/close-alert-examples.md @@ -0,0 +1 @@ +For example, an error in code that's used only for testing, or when the effort of fixing the error is greater than the potential benefit of improving the code. \ No newline at end of file diff --git a/data/reusables/code-scanning/false-positive-fix-codeql.md b/data/reusables/code-scanning/false-positive-fix-codeql.md new file mode 100644 index 000000000000..6b097eef84b2 --- /dev/null +++ b/data/reusables/code-scanning/false-positive-fix-codeql.md @@ -0,0 +1 @@ +If you close a {{ site.data.variables.product.prodname_codeql }} alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the {{ site.data.variables.product.prodname_codeql }} repository and improving the analysis. For more information about {{ site.data.variables.product.prodname_codeql }}, see "[Contributing to {{ site.data.variables.product.prodname_codeql }}](https://github.com/github/codeql/blob/main/CONTRIBUTING.md)." diff --git a/javascripts/wrap-code-terms.js b/javascripts/wrap-code-terms.js index e6f30260c6f6..c28a30320ca6 100644 --- a/javascripts/wrap-code-terms.js +++ b/javascripts/wrap-code-terms.js @@ -11,16 +11,21 @@ export default function () { if (!codeTerms) return codeTerms.forEach(node => { - node.innerHTML = node.innerHTML.replace(wordsLongerThan18Chars, (str) => { + // Do the wrapping on the inner text only, so we don't modify hrefs + const oldText = node.textContent + + const newText = oldText.replace(wordsLongerThan18Chars, (str) => { return str - // GraphQL code terms use camelcase + // GraphQL code terms use camelcase .replace(camelCaseChars, '$1$2') - // REST code terms use underscores - // to keep word breaks looking nice, only break on underscores after the 12th char - // so `has_organization_projects` will break after `has_organization` instead of after `has_` + // REST code terms use underscores + // to keep word breaks looking nice, only break on underscores after the 12th char + // so `has_organization_projects` will break after `has_organization` instead of after `has_` .replace(underscoresAfter12thChar, '$1_') - // Some Actions reference pages have tables with code terms separated by slashes + // Some Actions reference pages have tables with code terms separated by slashes .replace(slashChars, '$1') }) + + node.innerHTML = node.innerHTML.replace(oldText, newText) }) }