Skip to main content

Configuring code scanning at scale using CodeQL

You can configure code scanning for eligible repositories in your organization using default setup for CodeQL or use a script to configure advanced setup for a specific group of repositories.

Code scanning is available for all public repositories on GitHub.com. To use code scanning in a private repository owned by an organization, you must have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

About configuring code scanning in multiple repositories

There are multiple ways to configure code scanning in multiple repositories at the same time.

The best method to use depends on the analysis needs of the repositories.

  1. The repositories are eligible for default setup for CodeQL and are owned by an organization.
  2. The group of repositories has similar configuration needs for CodeQL advanced setup.

In addition, GitHub Actions must be enabled for the organization or enterprise.

Eligible repositories for CodeQL default setup

Note: The ability to enable and disable default set up for code scanning for eligible repositories in an organization is currently in beta and subject to change. During the beta release, if you disable CodeQL code scanning for all repositories this change will not be reflected in the coverage information shown in security overview for the organization. The repositories will still appear to have code scanning enabled in this view.

You can use security overview to find a set of repositories and enable or disable default setup for code scanning for them all at the same time. For more information, see "Enabling security features for multiple repositories."

You can also use the organization settings page for "Code security and analysis" to enable code scanning for all repositories in the organization that are eligible for CodeQL default setup.

Eligibility criteria for organization-level enablement

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.

  • Code scanning is not already enabled.
  • GitHub Actions are enabled.
  • Uses Go, JavaScript/TypeScript, Python, or Ruby.
  • Does not use any other languages supported by CodeQL, but may include other languages, such as R. For more information on CodeQL-supported languages, see "About code scanning with CodeQL."
  • Publicly visible, or GitHub Advanced Security is enabled.

For more information about default setup, see "Configuring code scanning for a repository." For information on editing security and analysis settings for an organization, see "Managing security and analysis settings for your organization."

Finding repositories that are eligible for default setup

You can use the "Security coverage" view in security overview to show repositories in your organization that are eligible for default setup.

  1. On GitHub.com, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the sidebar, click Coverage to display the "Security coverage" view.

  4. In the search bar, enter one of the following queries:

    • code-scanning-default-setup:eligible is:public shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
    • code-scanning-default-setup:eligible advanced-security:enabled shows private or internal repositories that have languages suitable for default setup and are eligible because they have GitHub Advanced Security enabled.
    • code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled shows private or internal repositories that have languages suitable for default setup but do not have GitHub Advanced Security enabled. Once you enable GitHub Advanced Security for these repositories, they can also be added to default setup.
    • code-scanning-default-setup:not-eligible shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.

You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for code scanning for them all at the same time. For more information, see "Enabling security features for multiple repositories."

Using a script to configure advanced setup

For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories.

  1. Identify a group of repositories that can be analyzed using the same code scanning configuration. For example, all repositories that build Java artifacts using the production environment.
  2. Create and test a GitHub Actions workflow to call the CodeQL action with the appropriate configuration. For more information, see "Configuring code scanning for a repository."
  3. Use one of the example scripts create a custom script to add the workflow to each repository in the group.