Configuring default setup for code scanning at scale

You can quickly configure code scanning for repositories across your organization using default setup.

¿Quién puede utilizar esta característica?

Propietarios de la organización, administradores de seguridad y miembros de la organización con el rol de administrador

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Team, GitHub Enterprise Cloud, or GitHub Enterprise Server, with GitHub Code Security enabled.

En este artículo

About configuring default setup at scale

With default setup for code scanning, you can quickly secure code in repositories across your organization.

You can enable code scanning for all repositories in your organization that are eligible for default setup. After enabling default setup, the code written in CodeQL-supported languages in repositories in the organization will be scanned:

  • On each push to the repository's default branch, or any protected branch. For more information on protected branches, see Acerca de las ramas protegidas.
  • When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.
  • On a weekly schedule.

For more information, see Configuring default setup for all eligible repositories in an organization.

For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see Configuring advanced setup for code scanning with CodeQL at scale.

Eligible repositories for CodeQL default setup at scale

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.

  • Advanced setup for code scanning is not already enabled.
  • GitHub Actions está habilitado.
  • Es visible públicamente o GitHub Code Security se ha habilitado.

Se recomienda habilitar la configuración predeterminada para repositorios aptos si hay alguna posibilidad de que los repositorios incluyan al menos un lenguaje compatible con CodeQL en el futuro. Si habilitas la configuración predeterminada en un repositorio que no incluya ningún lenguaje compatible con CodeQL, la configuración predeterminada no ejecutará ningún análisis ni usará ningún minuto de GitHub Actions. Si los idiomas compatibles con CodeQL se agregan a la reama predeterminada del repositorio, la configuración predeterminada comenzará automáticamente a analizar los idiomas compatibles con CodeQL y a usar minutos de GitHub Actions. Para más Información sobre los lenguajes compatibles con CodeQL, consulta Acerca del examen de código con CodeQL.

About adding languages to an existing default setup configuration

If the code in a repository changes to include a CodeQL-supported language, GitHub will automatically update the code scanning configuration to include the new language. If code scanning fails with the new configuration, GitHub will resume the previous configuration automatically so the repository does not lose code scanning coverage.

Providing default setup access to private registries

When a repository uses code stored in a private registry, default setup needs access to the registry to work effectively. For more information, see Giving security features access to private registries.

Configuring default setup for all eligible repositories in an organization

You can enable default setup for all eligible repositories in your organization. For more information, see Habilitación de características de seguridad a gran escala.

Extending CodeQL coverage in default setup

Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see Editar la configuración predeterminada.

Configuring default setup for a subset of repositories in an organization

You can filter for specific repositories you would like to configure default setup for. For more information, see Applying a custom security configuration.

Configuring merge protection for all repositories in an organization

You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:

  • Una herramienta necesaria encontró una alerta code scanning de una gravedad definida en un conjunto de reglas.
  • Un análisis de la herramienta code scanning requerida todavía está en curso.
  • Una herramienta code scanning requerida no está configurada para el repositorio.

For more information, see Establecimiento de la protección contra la fusión de análisis de códigos. For more general information about rulesets, see Acerca de los conjuntos de reglas.