jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-20 10:28:40 -05:00
Code Issues Projects Releases Wiki Activity
Files
9608f7ebae16dc3817dea0417aa522e80b71d5f6
docs/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md
Laura Coursen 7fcca69bf0 Even more CommonMark fixes (#42177)
2023-09-07 17:42:16 +00:00

12 KiB
Raw Blame History

title, shortTitle, intro, redirect_from, product, permissions, type, topics, versions
title shortTitle intro redirect_from product permissions type topics versions
Configuring default setup for code scanning Configure code scanning You can quickly secure code in your repository with default setup for {% data variables.product.prodname_code_scanning %}.
/github/managing-security-vulnerabilities/configuring-automated-code-scanning
/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning
/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository
/github/finding-security-vulnerabilities-and-errors-in-your-code/setting-up-code-scanning-for-a-repository
/code-security/secure-coding/setting-up-code-scanning-for-a-repository
/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository
/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository
/code-security/secure-coding/configuring-code-scanning-for-a-repository
/github/finding-security-vulnerabilities-and-errors-in-your-code/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository
/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository
/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-default-setup-for-code-scanning
{% data reusables.gated-features.code-scanning %} People with admin permissions to a repository, or the security manager role for the repository, can configure {% data variables.product.prodname_code_scanning %} for that repository. how_to
Advanced Security
Code scanning
feature
code-scanning-without-workflow

About default setup

Default setup for {% data variables.product.prodname_code_scanning %} is the quickest, easiest, most low-maintenance way to enable {% data variables.product.prodname_code_scanning %} for your repository. Based on the code in your repository, default setup will automatically create a custom {% data variables.product.prodname_code_scanning %} configuration. After enabling default setup, the code in your repository will be scanned:

  • on each push to the repository's default branch, or any protected branch. For more information on protected branches, see "AUTOTITLE."
  • when creating or committing to a pull request based against the repository's default branch, or any protected branch.{% ifversion default-setup-scan-on-schedule %}
  • on a weekly schedule.

{% note %}

Note: If no pushes and pull requests have occured in a repository for 60 days, the weekly schedule will be disabled to save your {% data variables.product.prodname_actions %} minutes.

{% endnote %} {% endif %}

You can enable the automatically selected configuration of default setup to start scanning your code as soon as possible, or you can customize aspects of the configuration to better meet your {% data variables.product.prodname_code_scanning %} needs. If you choose to customize the configuration yourself, you can select:{% ifversion code-scanning-without-workflow-310 %}

  • the languages default setup will analyze.{% endif %}
  • the query suite default setup will run. For more information, see "AUTOTITLE."

{% ifversion org-enable-code-scanning %}You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see "AUTOTITLE."{% endif %}

If you need more granular control over your {% data variables.product.prodname_code_scanning %} configuration, you should instead configure advanced setup. For more information, see "AUTOTITLE."

Requirements for using default setup

Your repository is eligible for default setup for {% data variables.product.prodname_code_scanning %} if:{% ifversion code-scanning-without-workflow-310 %}

  • it includes at least one {% data variables.product.prodname_codeql %}-supported language{% ifversion codeql-swift-advanced-setup %} aside from Swift{% endif %}.{% else %}
  • it includes only the following {% data variables.product.prodname_codeql %}-supported languages: {% ifversion code-scanning-default-setup-go %}Go, {% endif %}JavaScript/TypeScript, Python, or Ruby.{% endif %}
  • {% data variables.product.prodname_actions %} are enabled.{% ifversion fpt %}
  • it is publicly visible.{%- elsif ghec %}
  • it is publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes or ghae %}
  • {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}

{% ifversion ghae %} For {% data variables.product.product_name %}, before configuring {% data variables.product.prodname_code_scanning %} for a repository, you must ensure that there is at least one self-hosted {% data variables.product.prodname_actions %} runner available to the repository.

Enterprise owners, organization and repository administrators can add self-hosted runners. For more information, see "AUTOTITLE" and "AUTOTITLE." {% endif %}

You can use default setup if your repository includes languages that aren't supported by {% data variables.product.prodname_codeql %}, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "AUTOTITLE."

{% ifversion code-scanning-without-workflow-310 %}

About adding {% ifversion code-scanning-default-setup-automatic-311 %}non-compiled and {% endif %}compiled languages to your default setup

{% ifversion code-scanning-default-setup-automatic-311 %} If the code in a repository changes to include {% ifversion code-scanning-default-setup-go %}Go, {% endif %}JavaScript/TypeScript, Python, or Ruby, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage. {% endif %}

Compiled languages are not automatically included in default setup configuration because they often require more advanced configuration, but you can manually select any {% data variables.product.prodname_codeql %}-supported compiled language{% ifversion codeql-swift-advanced-setup %} other than Swift{% endif %} for analysis.

{% endif %}

Configuring default setup for a repository

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.user-settings.security-analysis %}

  1. In the "{% data variables.product.prodname_code_scanning_caps %}" section, select Set up {% octicon "triangle-down" aria-hidden="true" %}, then click Default.

    Screenshot of the "{% data variables.product.prodname_code_scanning_caps %}" section of "Code security and analysis" settings. The "Default setup" button is highlighted with an orange outline.

    You will then see a "{% data variables.product.prodname_codeql %} default configuration" dialog summarizing the {% data variables.product.prodname_code_scanning %} configuration automatically created by default setup.

    {% ifversion code-scanning-without-workflow-310 %} {% note %}

    Note: If your repository contains only compiled {% data variables.product.prodname_codeql %}-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration.

    {% endnote %}

  2. Optionally, to customize your {% data variables.product.prodname_code_scanning %} setup, click {% octicon "pencil" aria-hidden="true" %} Edit.

    • To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section. If you would like to analyze a {% data variables.product.prodname_codeql %}-supported compiled language with default setup, select that language here.
    • To specify the {% data variables.product.prodname_codeql %} query suite you would like to use, select your preferred query suite in the "Query suites" section.

{%- else -%}

  1. Optionally, in the "Query suites" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select the Default {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click the {% data variables.product.prodname_codeql %} query suite you would like to use.

    Screenshot of the modal for default setup. A button labeled "Default", with an arrow indicating a dropdown menu, is outlined in dark orange.

    If you choose the Extended query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the Default query suite. For more information on the available query suites, see "AUTOTITLE."

    {% note %}

    Note: If you configure {% data variables.product.prodname_code_scanning %} to use the Extended query suite, you may experience a higher rate of false positive alerts.

    {% endnote %} {%- endif %}

  2. Review the settings for default setup on your repository, then click Enable {% data variables.product.prodname_codeql %}. This will trigger a workflow that tests the new, automatically generated configuration.

    {% note %}

    Note: If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing {% data variables.product.prodname_code_scanning %} configurations. This warning means default setup will disable the existing workflow file and block any {% data variables.product.prodname_codeql %} analysis API uploads.

    {% endnote %}

  3. Optionally, to view your default setup configuration after enablement, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" %} View {% data variables.product.prodname_codeql %} configuration.

Next steps

After you configure default setup for {% data variables.product.prodname_code_scanning %}, and your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see "AUTOTITLE" and "AUTOTITLE."

You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "AUTOTITLE."

When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see "AUTOTITLE."

Reference in New Issue View Git Blame Copy Permalink