c13a7af4cb
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Dorothy Mitchell <dorothymitchell@github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Grace Park <gracepark@github.com>
10 KiB
title, shortTitle, intro, redirect_from, product, type, topics, versions
| title | shortTitle | intro | redirect_from | product | type | topics | versions | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring default setup for code scanning at scale | Code scanning at scale | You can quickly configure {% data variables.product.prodname_code_scanning %} for repositories across your organization using default setup. |
|
{% data reusables.gated-features.code-scanning %} | how_to |
|
|
About configuring default setup at scale
With default setup for {% data variables.product.prodname_code_scanning %}, you can quickly secure code in repositories across your organization.
You can use the organization settings page labeled "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for all repositories in your organization that are eligible for default setup. For more information, see "Configuring default setup for all eligible repositories in an organization."
{% ifversion code-security-multi-repo-enablement %}
You can also use security overview to find a set of repositories in your organization and enable or disable default setup for all of them at the same time. For more information, see "Configuring default setup for a subset of repositories in an organization."
{% endif %}
You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see "AUTOTITLE."
For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see "AUTOTITLE."
Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale
{% data reusables.code-scanning.beta-org-enable-all %}
A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.
- {% data variables.product.prodname_code_scanning_caps %} is not already enabled.
- {% data variables.product.prodname_actions %} are enabled.
- Uses {% ifversion code-scanning-default-setup-go %} Go, {% endif %}JavaScript/TypeScript, Python, or Ruby.{% ifversion fpt %}
- Publicly visible.{%- elsif ghec %}
- Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes or ghae %}
- {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}
{% ifversion code-scanning-default-setup-automatic-311 %}
About adding languages to an existing default setup configuration
If the code in a repository changes to include {% ifversion code-scanning-default-setup-go %}Go, {% endif %}JavaScript/TypeScript, Python, or Ruby, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage.
{% endif %} {% ifversion org-enable-code-scanning %}
Configuring default setup for all eligible repositories in an organization
Through the "Code security and analysis" page of your organization's settings, you can enable default setup for all eligible repositories in your organization. For more information on repository eligibility, see "Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale."
{% data reusables.code-scanning.beta-org-enable-all %}
- Click your profile photo, then click Organizations.
- Click Settings next to your organization.
- Click Code security & analysis.
- Click Enable all or Disable all next to {% data variables.product.prodname_code_scanning_caps %}.
- In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" or "Disable {% data variables.product.prodname_code_scanning %}" dialog box displayed, click Enable for eligible repositories or Disable {% data variables.product.prodname_code_scanning %} to confirm the change.
{% else %} {% data variables.product.prodname_code_scanning_caps %} is configured at the repository level. For more information, see "AUTOTITLE." {% endif %} {% ifversion code-security-multi-repo-enablement %}
Configuring default setup for a subset of repositories in an organization
Through security overview for your organization, you can find eligible repositories for default setup, then enable default setup across each of those repositories simultaneously. For more information on repository eligibility, see "Eligible repositories for {% data variables.product.prodname_codeql %} default setup at scale."
Finding repositories that are eligible for default setup
{% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.security-overview %} {% data reusables.security-overview.security-overview-coverage-view %}
- In the search bar, enter one of the following queries:
{%- ifversion ghec %}
- code-scanning-default-setup:eligible is:public shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
- code-scanning-default-setup:eligible advanced-security:enabled shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled.
- code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
{%- elsif ghes or ghae %}
- code-scanning-default-setup:eligible advanced-security:enabled shows which repositories can be added to default setup immediately.
- code-scanning-default-setup:eligible advanced-security:not-enabled shows which repositories have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
{%- endif %}
- code-scanning-default-setup:not-eligible shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.
{% ifversion code-security-multi-repo-enablement %}
You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for {% data variables.product.prodname_code_scanning %} for them all at the same time. For more information, see step 5 of "Configuring default setup at scale for multiple repositories in an organization."
{% endif %}
Configuring default setup at scale for multiple repositories in an organization
{% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.security-overview %} {% data reusables.security-overview.security-overview-coverage-view %}
- You can use the search bar to narrow down visible repositories in the "Security coverage" view based on name, or on the enablement status of security features. For example, to filter for repositories that are eligible for default setup and do not currently have default setup enabled, search for
code-scanning-default-setup:eligible. - In the list of repositories, select each repository you want to enable {% data variables.product.prodname_code_scanning %} for. To select all repositories on the page, click the checkbox next to NUMBER Active. To select all repositories that match the current search, click the checkbox next to NUMBER Active and then click Select all NUMBER repos.
- Click Security settings next to NUMBER selected.
- In the side panel, in the "{% data variables.product.prodname_codeql %} Default Setup" section, select No change, then click Enable.
- To confirm the enablement of {% data variables.product.prodname_code_scanning %} for the selected repositories, click Apply changes NUMBER. Alternatively, to select or deselect repositories for {% data variables.product.prodname_code_scanning %} enablement, click {% octicon "x" aria-label="Close" %} to close the panel without applying your changes.
If you're blocked from enabling {% data variables.product.prodname_code_scanning %} due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the {% octicon "gear" aria-hidden="true" %} Security settings button. However, you will see a message in the side panel indicating that you cannot enable {% data variables.product.prodname_code_scanning %} for the selected repositories. For more information about enterprise policies, see "AUTOTITLE."
{% endif %}