Skip to main content

Enterprise Server 3.15 is currently available as a release candidate.

Viewing metrics for pull request alerts

You can use security overview to see how CodeQL is performing in pull requests for repositories across your organizations, and to identify repositories where you may need to take action.

Who can use this feature?

Access requires:

  • Organization views: write access to repositories in the organization
  • Enterprise views: organization owners and security managers

About CodeQL pull request alerts metrics

The metrics overview for CodeQL pull request alerts helps you to understand how well CodeQL is preventing vulnerabilities in your organizations. You can use the metrics to assess how CodeQL is performing in pull requests, and to easily identify the repositories where you may need to take action in order to identify and reduce security risks.

The overview shows you a summary of how many vulnerabilities prevented by CodeQL have been caught in pull requests. The metrics are only tracked for pull requests that have been merged into the default branches of repositories in your organizations.

You can also find more granular metrics, such as how many alerts were fixed, how many were unresolved and merged, and how many were dismissed as false positive or as risk accepted.

You can also view:

  • The rules that are causing the most alerts, and how many alerts each rule is associated with.

  • The number of alerts that were merged into the default branch without resolution, and the number of alerts dismissed as an acceptable risk.

You can apply filters to the data. The metrics are based on activity from the default period or your selected period.

Note

Metrics for Copilot Autofix are omitted because Copilot Autofix is available only on GitHub cloud platforms.

Viewing CodeQL pull request alerts metrics for an organization

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the sidebar, under "Metrics", click CodeQL pull request alerts.

  4. Optionally, use the date picker to set the time range. The date picker will show data based on the pull request alerts' creation dates.

  5. Optionally, apply filters in the search box at the top of the page.

  6. Alternatively, you can open the advanced filter dialog:

    • At the top of the page, next to the search box, click Filter.
    • Click Add a filter, then select a filter from the dropdown menu.
    • To search for repositories matching the selected filter, fill out the available fields for that filter, then click Apply. You can repeat this process to add as many filters as you would like to your search.
    • Optionally, to remove a filter from your search, click Filter. In the row of the filter you want to remove, click , then click Apply.

Viewing CodeQL pull request alerts metrics for your enterprise

You can also view metrics for CodeQL alerts in pull requests across organizations in your enterprise.

Tip

You can use the owner filter in the search field to filter the data by organization. For more information, see "Filtering alerts in security overview."

  1. Navigate to GitHub Enterprise Cloud.

  2. In the top-right corner of GitHub, click your profile photo, then click Your enterprises.

  3. In the list of enterprises, click the enterprise you want to view.

  4. On the left side of the page, in the enterprise account sidebar, click Code Security.

  5. In the sidebar, under "Metrics", click CodeQL pull request alerts.