Security and code quality documentation - GitHub Docs Skip to main contentSecurity and code qualityGitHub security featuresSecure repository quickstartSecret leakage risksSecret scanningPush protectionSecret security with GitHubSecret scanning alertsCustom patternsValidity checksDelegated bypassBypass requestsSecret scanning for partnersSecret typesPush protection metricsCommand line push protectionPush protection and the GitHub MCP serverPush protection from the REST APICode scanningCode scanning alertsRisk assessmentCopilot AutofixSetup typesIntegration with code scanningSARIF filesAlert tracking with issuesMerge protectionMulti-repository variant analysisCodeQL code scanningCodeQL for compiled languagesCodeQL query suitesCustom queriesCodeQL CLICodeQL for VS CodeCodeQL workspacesQuery reference filesQuery packsTool status pagePull request alert metricsRepository propertiesSupply chain securityDependency best practicesDependency graphDependency graph dataDependency reviewDependabot alertsMalware alertsDependabot alert metricsDependabot security updatesDependabot version updatesDependabot pull requestsMulti-ecosystem updatesdependabot.yml fileDependabot auto-triage rulesDependabot on ActionsDependabot job logsImmutable releasesLinked artifactsGitHub Code QualityGitHub Advisory databaseRepository security advisoriesGlobal security advisoriesCoordinated disclosureVulnerability exposureSelect pilot repositoriesOrganization securitySecurity overviewSecurity campaignsAudit security alertsDelegated alert dismissalAllow Code QualityConfigure VNETCreate custom configurationApply custom configurationConfigure global settingsEdit custom configurationFilter repositoriesDetach security configurationDelete custom configurationAssess your secret riskAssess your vulnerability riskView risk reportEstimate priceProtect your secretsCode scanning at scaleCodeQL advanced setup at scaleEnforce dependency reviewGive access to private registriesManage paid GHAS useEnable secret scanningEnable for non-provider patternsEnable generic secret detectionDefine custom patternsGenerate regular expressionsManage custom patternsExclude folders and filesEnable validity checksEnable metadata checksEnable push protectionManage user push protectionPush protection on the command linePush protection in the GitHub UIEnable delegated bypassGrant exemptionsManage bypass requestsReview bypass requestsConfigure code scanningConfigure advanced setupEdit default setupUse tool status pageSet merge protectionConfigure larger runnersCodeQL for compiled languagesSet up CodeQL CLIWrite custom queriesPublish and use packsTest custom queriesTest query help filesDownload databasesCheck out source codeSpeed up PR scansSpecify command optionsCreate database bundlesInstall CodeQL for VS CodeManage CodeQL databasesRun CodeQL queriesExplore data flowRun queries at scaleUse the model editorCreate custom queryManage CodeQL packsExplore code structureTest CodeQL queriesCustomize settingsSet up CodeQL workspaceManage CodeQL CLIAccess logsUse with existing CI systemUpload SARIF fileConfigure Dependabot alertsConfigure malware alertsConfigure security updatesConfigure version updatesAuto-update actionsConfigure multi-ecosystem updatesEnable dependency graphExplore dependenciesSubmit dependencies automaticallyUse dependency submission APIVerify release integrityAuto-triage Dependabot alertsPrioritize with preset rulesCustomize Dependabot PRsControl dependency updateConfigure dependency review actionConfigure Dependabot notificationsConfigure access to private registriesRemove access to public registriesManage Dependabot PRsConfigure on GitHub-hosted runnersConfigure on self-hosted runnersRe-run Dependabot jobsList configured dependenciesConfigure private registriesPrevent release changesExport dependencies as SBOMUpload linked artifactsView linked artifactsRemove linked artifactsFilter security alertsCreate security campaignTrack security campaignFix alerts in campaignReview alert dismissal requestsMonitor alertsView alertsResolve alertsEnable delegated dismissalAssess alertsTriage alerts in pull requestsTrack alerts in issuesResolve alertsEnable delegated alert dismissalDisable Copilot AutofixView Dependabot alertsManage malware alertsManage auto-dismissed alertsEnable delegated alert dismissalEnable Code QualityDisable Code QualitySet up code coverageInterpret resultsSet PR thresholdsUnblock your PRAdd security policyConfigure for a repositoryReport privatelyManage vulnerability reportsCreate repository advisoryPublish repository advisoryAdd collaboratorsRemove collaboratorsEdit repository advisoriesDelete repository advisoriesBrowse Advisory DatabaseEdit Advisory DatabaseScan for secrets with MCPAssess security risk of codeAssess adoption of featuresExplore code qualityFind insecure repositoriesExport dataView security insightsView PR alert metricsView secret scanning metricsView Dependabot metricsExport risk report CSVView code scanning logsView Dependabot logsView custom pattern metricsChange "used by" dataOverview dashboard metricsOverview dashboard filtersConfiguration enforcementConfiguration statusesA repository is using advanced setup for code scanningUnexpected default setupConfiguration issue diagnosisNot enough GHAS licensesSecret typesSupported patternsSecret scanning scopeCustom patternsRisk report CSV contentsSecret pattern dataWorkflow configuration optionsSARIF supportGitHub token missingSARIF file invalidResults exceed limitsResults file too largeGitHub Code Security disabledDefault setup is enabledHardware resources for CodeQLBuild options for compiled languagesBuilt-in queriesActions queriesC and C++ queriesC# queriesGo queriesJava and Kotlin queriesJavaScript and TypeScript queriesPython queriesRuby queriesRust queriesSwift queriesSARIF outputCSV outputCodeQL query packsExtractor optionsExit codesbqrs decodebqrs diffbqrs hashbqrs infobqrs interpretdatabase add-diagnosticdatabase analyzedatabase bundledatabase cleanupdatabase createdatabase export-diagnosticsdatabase finalizedatabase importdatabase index-filesdatabase initdatabase interpret-resultsdatabase print-baselinedatabase run-queriesdatabase trace-commanddatabase unbundledatabase upgradedataset checkdataset cleanupdataset importdataset measuredataset upgradediagnostic adddiagnostic exportexecute cli-serverexecute language-serverexecute queriesexecute query-serverexecute query-server2execute upgradesgenerate extensible-predicate-metadatagenerate log-summarygenerate overlay-changesgenerate query-helpgithub merge-resultsgithub upload-resultspack addpack bundlepack cipack createpack downloadpack initpack installpack lspack packlistpack publishpack resolve-dependenciespack upgradequery compilequery decompilequery formatquery runresolve databaseresolve extensionsresolve extensions-by-packresolve extractorresolve filesresolve languagesresolve library-pathresolve metadataresolve ml-modelsresolve packsresolve qlpacksresolve qlrefresolve queriesresolve ramresolve testsresolve upgradestest accepttest extracttest runversionTelemetryController repository warningAlerts in generated codeAutomatic build failedC# compiler failingPrivate repository enablementAnalysis takes too longFewer lines scanned than expectedDefault setup timeoutCode Security must be enabledOut of disk or memoryResource not accessibleNot recognizedNo source code seen during buildServer errorExtraction errorsLogs not detailed enoughResults different than expectedSome languages not analyzedTwo CodeQL workflowsUnclear what triggered a workflowUnnecessary step foundKotlin detected in no buildCode scanning logsAutomatic dependency submissionDependabot optionsDependabot alerts filtersDependency scopeDependabot PR comment commandsDependabot ecosystemsDependabot security updatesDependency graph ecosystemsDependabot on ActionsCriteria for preset rulesDependency graph errorsDependabot stopped workingDependabot on ActionsVulnerability detectionDependabot errorsJava package metadataMetrics and ratingsCodeQL analysisC# queriesGo queriesJava queriesJavaScript queriesPython queriesRuby queriesRepository security advisorySecurity overviewInvestigation toolsInvestigation areasSecret protectionPlan GHAS trialTrial Advanced SecurityEnable security features in trialTrial Secret ProtectionTrial Code SecurityPrevent data leaksFix alerts at scalePrioritize alerts in production codeInterpret secret risk assessmentInterpret code security risk assessmentOrganize leak remediationProtect against threatsPrepare for a security incidentRespond to a security incidentCalculate cost savingsAssess GHSP impactEvaluate alertsRemediate a leaked secretPartner programEvaluate default setupPrepare code for analysisAnalyze codeUpload resultsRun in a containerCustomize analysisCreate query suitesCreate and work with CodeQL packsDependabot quickstartAutomate Dependabot with ActionsOptimize PR creationConfigure ARCCustomize Dependabot PRsCustomize dependency review actionOverviewSecure accountsSecure codeSecure buildsPrioritize Dependabot alerts using metricsParticipate in campaignsQuickstartFix findings in PRsImprove your codebaseImprove recent mergesCollaborate in a forkWrite security advisoriesSecurity and quality AI featuresRecommendedArticles