Skip to main content

This version of GitHub Enterprise Server was discontinued on 2024-09-25. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Configuring default setup for code scanning

You can quickly secure code in your repository with default setup for code scanning.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

Organization-owned repositories with GitHub Advanced Security enabled

About default setup

Default setup for code scanning is the quickest, easiest, most low-maintenance way to enable code scanning for your repository. Based on the code in your repository, default setup will automatically create a custom code scanning configuration. After enabling default setup, the code written in CodeQL-supported languages in your repository will be scanned:

  • On each push to the repository's default branch, or any protected branch. For more information on protected branches, see About protected branches.
  • When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.

You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see Configuring default setup for code scanning at scale.

If you need more granular control over your code scanning configuration, you should instead configure advanced setup. For more information, see Configuring advanced setup for code scanning.

Requirements for using default setup

Your repository is eligible for default setup for code scanning if:

  • It includes at least one CodeQL-supported language aside from Swift.
  • GitHub Actions are enabled.
  • GitHub Advanced Security is enabled.

If your repository includes at least one CodeQL-supported language, you can use default setup even if your repository also includes languages that aren't supported by CodeQL, such as R. Unsupported languages will not be scanned by default setup. For more information on CodeQL-supported languages, see About code scanning with CodeQL.

You can use default setup for all CodeQL-supported languages except Swift for self-hosted runners or GitHub-hosted runners. See Assigning labels to runners, later in this article.

Default setup runs the autobuild action, so you should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, Go, Java, Kotlin, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.

Customizing default setup

We recommend that you start using code scanning with default setup. After you've initially configured default setup, you can evaluate code scanning to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your code security needs. For more information, see Evaluating default setup for code scanning.

About adding compiled languages to your default setup

Compiled languages are not automatically included in default setup configuration because they often require more advanced configuration, but you can manually select any CodeQL-supported compiled language other than Swift for analysis.

Configuring default setup for a repository

Note

At least one CodeQL-supported language's analysis in a repository must succeed, or else default setup will not be successfully enabled in that repository.

  1. On GitHub, navigate to the main page of the repository.

    Note

    If you are configuring default setup on a fork, you must first enable GitHub Actions. To enable GitHub Actions, under your repository name, click Actions, then click I understand my workflows, go ahead and enable them. Be aware that this will enable all existing workflows on your fork.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. In the "Code scanning" section, select Set up , then click Default.

    Screenshot of the "Code scanning" section of "Code security and analysis" settings. The "Default setup" button is highlighted with an orange outline.

    You will then see a "CodeQL default configuration" dialog summarizing the code scanning configuration automatically created by default setup.

    Note

    If your repository contains only compiled CodeQL-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration.

  5. Optionally, to customize your code scanning setup, click Edit.

    • To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section. If you would like to analyze a CodeQL-supported compiled language with default setup, select that language here.
    • To specify the CodeQL query suite you would like to use, select your preferred query suite in the "Query suites" section.
  6. Review the settings for default setup on your repository, then click Enable CodeQL. This will trigger a workflow that tests the new, automatically generated configuration.

    Note

    If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing code scanning configurations. This warning means default setup will disable the existing workflow file and block any CodeQL analysis API uploads.

  7. Optionally, to view your default setup configuration after enablement, select , then click View CodeQL configuration.

Assigning labels to runners

Note

Code scanning sees assigned runners when default setup is enabled. If a runner is assigned to a repository that is already running default setup, you must disable and re-enable default setup to start using the runner. If you add a runner and want to start using it, you can change the configuration manually without needing to disable and re-enable default setup.

You can also assign self-hosted runnerswith the code-scanning label. For information about assigning labels to self-hosted runners, see Using labels with self-hosted runners.

Next steps

After your configuration runs successfully at least once, you can start examining and resolving code scanning alerts. For more information on code scanning alerts, see About code scanning alerts and Assessing code scanning alerts for your repository.

After you've configured default setup for code scanning, you can read about evaluating how it's working for you and the next steps you can take to customize it. For more information, see Evaluating default setup for code scanning.

You can find detailed information about your code scanning configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see About the tool status page for code scanning.

When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see Troubleshooting code scanning.