You can run on a hosted continuous integration service, such as Travis CI. The documentation is a little thin right now, but we will add this to the docs soon.
Only if it comes from a repo that's hosted somewhere (i.e., not behind a firewall). Code Spotter is not restricted to GitHub, git, or any other particular SCM. If the code can be built, it can be analyzed.
There's a bit more to it. It's not enough to point Code Spotter / Coverity to a pile of code, it needs to observe the actual build in order to know precisely what is built and how it is built. While for some projects you can extract that information from the build files (e.g., maven poms), there are cases where this will fail. (For example, when the build generates some of the source files.) The most reliable way to understand how a project is constructed is to observe an actual build.
This is particularly true for C/C++ and C#, which are not yet supported on Code Spotter, but will be in the future. This precise understanding of a project's composition is one of the many reasons Coverity false positive rate is relatively low.