Code scanning merge protection

Code scanning rules prevent pull requests with potential vulnerabilities from being merged.

Qui peut utiliser cette fonctionnalité ?

Repository administrators and organization owners

Rulesets are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, and GitHub Enterprise Cloud. Pour plus d’informations, consultez Plans de GitHub.

Dans cet article

Rulesets for code scanning merge protection

A ruleset is a named list of rules that control how people can interact with branches and tags in your repositories. You can add code scanning rules to rulesets to prevent pull requests from being merged when any of the following conditions are met:

  • Un outil requis a trouvé une alerte code scanning d’une gravité définie dans un ensemble de règles.
  • L’analyse de l’outil code scanning requise est toujours en cours.
  • Un outil code scanning requis n’est pas configuré pour le référentiel.

Typically, you should use code scanning merge protection on long-lived feature branches, where you want to guarantee code has been analyzed before pull requests can be merged.

Configuring a code scanning rule will not automatically enable code scanning. To learn how to enable code scanning, see Définition de la configuration par défaut pour l’analyse du code.

Remarque

Availability

You can set code scanning merge protection with rulesets:

  • At the repository level
  • At the organization level (GitHub Enterprise plans only)

Exceptions and limitations

Merge protection with rulesets will not apply to:

  • Merge queue groups
  • Dependabot pull requests analyzed by default setup

Additionally, all the lines of code identified by an alert must exist in the pull request diff. For more information, see Prise en charge de SARIF pour l’analyse du code.

Next steps

To configure a ruleset that requires code scanning results, see Définir la protection contre la fusion d’analyse du code.