使用 CodeQL 大规模为代码扫描配置高级设置

可以使用脚本为组织中的特定存储库组配置 code scanning 的高级设置。

谁可以使用此功能?

具有管理员角色的组织所有者、安全管理员和组织成员

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Code Security

本文内容

About enabling advanced setup for code scanning with CodeQL at scale

If you need to configure a highly customizable code scanning setup for many repositories in your organization, or if repositories in your organization are ineligible for default setup, you can enable code scanning at scale with advanced setup.

To enable advanced setup across multiple repositories, you can write a bulk configuration script. To successfully execute the script, GitHub Actions must be enabled for the organization.

Alternatively, if you do not need granular control over the code scanning configuration for many repositories in your organization, you can quickly and easily configure code scanning at scale with default setup. For more information, see Configuring default setup for code scanning at scale.

Using a script to enable advanced setup

For repositories that are not eligible for default setup, you can use a bulk configuration script to enable advanced setup across multiple repositories.

  1. Identify a group of repositories that can be analyzed using the same code scanning configuration. For example, all repositories that build Java artifacts using the production environment.
  2. Create and test a GitHub Actions workflow to call the CodeQL action with the appropriate configuration. For more information, see Configuring advanced setup for code scanning.
  3. Use one of the example scripts or create a custom script to add the workflow to each repository in the group.

Extending CodeQL coverage with model packs

注意

CodeQL model packs are currently in public preview and subject to change. Model packs are supported for C/C++, C#, Java/Kotlin, Python, Ruby, and Rust analysis.

The CodeQL model editor in the CodeQL extension for Visual Studio Code supports modeling dependencies for C#, Java/Kotlin, Python, and Ruby.

If your codebase depends on a library or framework that is not recognized by the standard queries in CodeQL, you can extend the CodeQL coverage in your bulk configuration script by specifying published CodeQL model packs. For more information, see Customizing your advanced setup for code scanning.

Alternatively, if you do not need granular control over the code scanning configuration for many repositories in your organization, you can quickly and easily configure model packs with code scanning at scale with default setup. For more information, see Editing your configuration of default setup.