Configuring default setup for code scanning at scale

You can quickly configure code scanning for repositories across your organization using default setup.

谁可以使用此功能?

具有管理员角色的组织所有者、安全管理员和组织成员

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Code Security

本文内容

About configuring default setup at scale

With default setup for code scanning, you can quickly secure code in repositories across your organization.

You can enable code scanning for all repositories in your organization that are eligible for default setup. After enabling default setup, the code written in CodeQL-supported languages in repositories in the organization will be scanned:

  • On each push to the repository's default branch, or any protected branch. For more information on protected branches, see 关于受保护分支.
  • When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.
  • On a weekly schedule.

For more information, see Configuring default setup for all eligible repositories in an organization.

For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see Configuring advanced setup for code scanning with CodeQL at scale.

Eligible repositories for CodeQL default setup at scale

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.

  • Advanced setup for code scanning is not already enabled.
  • 已启用 GitHub Actions。
  • 它公开可见,或已启用 GitHub Code Security。

如果符合条件的存储库将来可能至少包含一种 CodeQL 支持的语言,我们建议为这些存储库启用默认设置。 如果在不包含任何 CodeQL 支持的语言的存储库上启用默认设置,则默认设置将不会运行任何扫描或使用任何 GitHub Actions 分钟。 如果将 CodeQL 支持的语言添加到仓库的默认分支,则默认设置将自动开始扫描 CodeQL 支持的语言,并使用 GitHub Actions 分钟。 有关 CodeQL 支持的语言的详细信息,请参阅“关于使用 CodeQL 进行代码扫描”。

About adding languages to an existing default setup configuration

If the code in a repository changes to include a CodeQL-supported language, GitHub will automatically update the code scanning configuration to include the new language. If code scanning fails with the new configuration, GitHub will resume the previous configuration automatically so the repository does not lose code scanning coverage.

Providing default setup access to private registries

When a repository uses code stored in a private registry, default setup needs access to the registry to work effectively. For more information, see Giving security features access to private registries.

Configuring default setup for all eligible repositories in an organization

You can enable default setup for all eligible repositories in your organization. For more information, see 关于批量启用安全功能.

Extending CodeQL coverage in default setup

Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see 编辑默认设置配置.

Configuring default setup for a subset of repositories in an organization

You can filter for specific repositories you would like to configure default setup for. For more information, see Applying a custom security configuration.

Configuring merge protection for all repositories in an organization

You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:

  • 所需工具发现了一个 code scanning 警报,其严重性是在规则集中定义的。
  • 所需 code scanning 工具的分析仍在进行中。
  • 未为存储库配置所需的 code scanning 工具。

For more information, see 设置代码扫描合并保护. For more general information about rulesets, see 关于规则集.