Code scanning is designed for developers first and integrates with GitHub Actions—or your existing CI/CD environment—to maximize flexibility for all users.
Here’s how Code Scanning automates security as a part of your workflow: It scans code as it’s created and surfaces actionable security reviews within pull requests and other GitHub experiences you use everyday. This makes sure vulnerabilities “never make it to production in the first place.”
Code Scanning works by displaying an alert in the repository if it detects a potential vulnerability or error in your code. After the code is fixed, it closes the alert.
Code Scanning is powered by CodeQL. Developers are free to use the 2,000+ CodeQL queries created by GitHub and the community, or create custom queries to find and prevent new security concerns.
Code Scanning is free for public repositories.