About the problem
When you apply a security configuration and code scanning is defined as "Enabled with advanced setup allowed", each repository is checked to see if there is an existing, active, advanced setup.
- No change to code scanning if an active advanced setup configuration is detected.
- Default setup is enabled for repositories where advanced setup is inactive or absent.
Inactive or absent advanced setup
La configuration avancée est considérée comme inactive pour un référentiel si celui-ci répond à l'un des critères suivants :
- La dernière analyse CodeQL date de plus de 90 jours.
- Toutes les configurations CodeQL ont été supprimées.
- Le fichier de flux de travail a été supprimé ou désactivé (uniquement pour la configuration avancée exécutée à l'aide d'actions).
Solving the problem
This solution has two parts:
-
Any repositories where default setup for code scanning was unexpectedly applied need to run CodeQL analysis at intervals of less than 90 days, for example, once a month.
Even if the repository is not under active development, new vulnerabilities may be identified by updates to CodeQL analysis.
-
Once the affected repositories all have CodeQL analysis running, you can reapply the security configuration.