Member-only story

GitHub Code Scanning — How to set with YAML file

Maciej

3 min readOct 14, 2020

Introduction

GitHub Code Scanning was released to the public on September.

About code scanning

You can use code scanning to find security vulnerabilities and errors in the code for your project on GitHub. Code…

docs.github.com

While reading the official document, I summarized the contents that I actually used in this article.

What is GitHub Code Scanning?

GitHub Code Scanning is a service that automatically detects code vulnerabilities based on CodeQL acquired by GitHub.

CodeQL - GitHub Security Lab

# Clone the project $ git clone https://github.com/m-y-mo/struts_9805 $ # Create a CodeQL database $ codeql database…

securitylab.github.com

How to use GitHub Code Scanning ???

The official GitHub docs only describe tutorials that pop in the Web UI as usual, but since it’s just one of GitHub Actions, .github/workflowsyou can use it by placing a YAML file in your directory. An example of the setting that uses the default CodeQL of Code Scanning is as follows.

name: CodeQL

on: [push, pull_request]

jobs:
  analyze:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v2…