Skip to main content

Configuring self-hosted runners for code scanning in your enterprise

You can enable, configure, and disable code scanning for GitHub Enterprise Cloud without GitHub-hosted runners. Code scanning allows users to scan code for vulnerabilities and errors.

Who can use this feature?

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Enterprise Cloud with GitHub Advanced Security enabled

Provisioning a self-hosted runner

Notes:

GitHub Enterprise Cloud can run code scanning using a GitHub Actions workflow. First, you need to provision one or more self-hosted GitHub Actions runners in your environment. You can provision self-hosted runners at the repository, organization, or enterprise account level. See "About self-hosted runners" and "Adding self-hosted runners."

If you are provisioning a self-hosted runner for CodeQL analysis, your runner must use a CodeQL-supported operating system version and CPU architecture. See the CodeQL system requirements.

If you are using default setup for code scanning, assign the code-scanning label to your self-hosted runner. For more information about using labels with self-hosted runners, see "Using labels with self-hosted runners." For more information about using default setup for code scanning analysis of compiled languages, see "CodeQL code scanning for compiled languages."

You must ensure that Git is in the PATH variable on any self-hosted runners you use to run CodeQL actions.

Note: If you use CodeQL code scanning to analyze code written in Python in your enterprise, you must make sure that your self-hosted runner has Python 3 installed.