docs/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale.md

title, shortTitle, intro, product, versions, type, topics, allowTitleToDifferFromFilename

title	shortTitle	intro	product	versions	type	topics	allowTitleToDifferFromFilename
Configuring code scanning at scale using CodeQL	Configure CodeQL at scale	You can configure {% data variables.product.prodname_code_scanning %} for eligible repositories in your organization using default setup for {% data variables.product.prodname_codeql %} or use a script to configure advanced setup for a specific group of repositories.	{% data reusables.gated-features.code-scanning %}	feature org-enable-code-scanning	how_to	Advanced Security Code scanning	true

About configuring {% data variables.product.prodname_code_scanning %} in multiple repositories

There are multiple ways to configure {% data variables.product.prodname_code_scanning %} in multiple repositories at the same time.

The best method to use depends on the analysis needs of the repositories.

1. The repositories are eligible for default setup for {% data variables.product.prodname_codeql %} and are owned by an organization.
2. The group of repositories has similar configuration needs for {% data variables.product.prodname_codeql %} advanced setup.

In addition, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec or ghae %}organization or enterprise{% elsif ghes %}site{% endif %}.

Eligible repositories for {% data variables.product.prodname_codeql %} default setup

{% data reusables.code-scanning.beta-org-enable-all %}

{% ifversion code-security-multi-repo-enablement %}

You can use security overview to find a set of repositories and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see "AUTOTITLE."

You can also use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup.

{% data reusables.code-scanning.default-setup-automatic %}

{% else %} You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup.

{% data reusables.code-scanning.default-setup-automatic %}

{% endif %}

Eligibility criteria for organization-level enablement

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.

{% ifversion code-scanning-without-workflow-310 %}

• {% data variables.product.prodname_code_scanning_caps %} is not already enabled.
• {% data variables.product.prodname_actions %} are enabled.
• Uses {% ifversion code-scanning-default-setup-go %} Go, {% endif %}JavaScript/TypeScript, Python, or Ruby.{% ifversion fpt %}
• Publicly visible.{%- elsif ghec %}
• Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes or ghae %}
• {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}

{% else %}

• {% data variables.product.prodname_code_scanning_caps %} is not already enabled.
• {% data variables.product.prodname_actions %} are enabled.
• Uses {% ifversion code-scanning-default-setup-go %} Go, {% endif %}JavaScript/TypeScript, Python, or Ruby.
• Does not use any other languages supported by {% data variables.product.prodname_codeql %}, but may include other languages, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "AUTOTITLE."
• {% ifversion fpt %}Publicly visible. {%- elsif ghec %}Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled. {%- elsif ghes or ghae %}{% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}

{% endif %}

{% data reusables.code-scanning.limitation-org-enable-all %}

For more information about default setup, see "AUTOTITLE." For information on editing security and analysis settings for an organization, see "AUTOTITLE."

{% ifversion security-overview-org-risk-coverage %}

Finding repositories that are eligible for default setup

You can use the "Security coverage" view in security overview to show repositories in your organization that are eligible for default setup.

{% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.security-overview %}

1. In the sidebar, click {% octicon "meter" aria-hidden="true" %} Coverage to display the "Security coverage" view.
2. In the search bar, enter one of the following queries:

{%- ifversion ghec %} - code-scanning-default-setup:eligible is:public shows repositories that have languages suitable for default setup and are eligible because they are visible to the public. - code-scanning-default-setup:eligible advanced-security:enabled shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled. - code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup. {%- elsif ghes or ghae %} - code-scanning-default-setup:eligible advanced-security:enabled shows which repositories can be added to default setup immediately. - code-scanning-default-setup:eligible advanced-security:not-enabled shows which repositories have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup. {%- endif %} - code-scanning-default-setup:not-eligible shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.

{% ifversion code-security-multi-repo-enablement %}

You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see "AUTOTITLE."

{% endif %}

{% endif %}

Using a script to configure advanced setup

For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories.

1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment.
2. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see "AUTOTITLE."
3. Use one of the example scripts create a custom script to add the workflow to each repository in the group.
   • PowerShell example: jhutchings1/Create-ActionsPRs repository
   • NodeJS example: nickliffen/ghas-enablement repository