Skip to main content
All products
Code security

Configuring code scanning at scale using CodeQL

In this article

You can configure code scanning for eligible repositories in your organization using default setup for CodeQL or use a script to configure advanced setup for a specific group of repositories.

Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

About configuring code scanning in multiple repositories

There are multiple ways to configure code scanning in multiple repositories at the same time.

The best method to use depends on the analysis needs of the repositories.

  1. The repositories are eligible for default setup for CodeQL and are owned by an organization.
  2. The group of repositories has similar configuration needs for CodeQL advanced setup.

In addition, GitHub Actions must be enabled for the organization.

Eligible repositories for CodeQL default setup

Note: The ability to enable and disable default set up for code scanning for eligible repositories in an organization is currently in beta and subject to change. During the beta release, if you disable CodeQL code scanning for all repositories this change will not be reflected in the coverage information shown in security overview for the organization. The repositories will still appear to have code scanning enabled in this view.

You can use the organization settings page for "Code security and analysis" to enable code scanning for all repositories in the organization that are eligible for CodeQL default setup.

Eligibility criteria for organization-level enablement

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.

  • Code scanning is not already enabled.
  • GitHub Actions are enabled.
  • Uses Go, JavaScript/TypeScript, Python, or Ruby.
  • Does not use any other languages supported by CodeQL, but may include other languages, such as R. For more information on CodeQL-supported languages, see "About code scanning with CodeQL."
  • Publicly visible.

For more information about default setup, see "Configuring code scanning for a repository." For information on editing security and analysis settings for an organization, see "Managing security and analysis settings for your organization."

Using a script to configure advanced setup

For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories.

  1. Identify a group of repositories that can be analyzed using the same code scanning configuration. For example, all repositories that build Java artifacts using the production environment.
  2. Create and test a GitHub Actions workflow to call the CodeQL action with the appropriate configuration. For more information, see "Configuring code scanning for a repository."
  3. Use one of the example scripts create a custom script to add the workflow to each repository in the group.