About disabling Copilot Autofix for code scanning
GitHub Copilot Autofix is a GitHub Copilot-powered expansion of code scanning. It provides users with targeted recommendations to help them fix code scanning alerts (including CodeQL alerts) so they can avoid introducing new security vulnerabilities. To learn more about Copilot Autofix for code scanning, see Responsible use of Copilot Autofix for code scanning.
Note
You do not need a subscription to GitHub Copilot to use GitHub Copilot Autofix. Copilot Autofix is available to all public repositories on GitHub.com, as well as private repositories in GitHub Enterprise Cloud enterprises that have a license for GitHub Advanced Security.
Copilot Autofix is allowed by default and enabled for every repository that uses CodeQL, regardless of whether it uses default or advanced setup for code scanning. Administrators at the enterprise, organization and repository levels can choose to opt out and disable Copilot Autofix.
Note that disabling Copilot Autofix at any level will close all open Copilot Autofix comments. If Copilot Autofix is disabled and then subsequently enabled, Copilot Autofix won't automatically suggest fixes for any pull requests that are already open. The suggestions will only be generated for any pull requests that are opened after Copilot Autofix is enabled, or after re-running code scanning analysis on existing pull requests.
Blocking use of Copilot Autofix for an enterprise
Enterprise administrators can disallow Copilot Autofix for their enterprise. If you disallow Copilot Autofix for an enterprise, Copilot Autofix cannot be enabled for any organizations or repositories within the enterprise.
Note that allowing Copilot Autofix for an enterprise does not enforce enablement of Copilot Autofix, but means that organization and repository administrators will have the option to enable or disable Copilot Autofix.
Disallowing Copilot Autofix at the enterprise level will remove all open Copilot Autofix comments across all repositories of all organizations within the enterprise.
- On the left side of the page, in the enterprise account sidebar, click Policies.
- Under "Policies", click Code security and analysis.
- Under "Copilot Autofix", use the dropdown menu to choose "Not allowed."
Disabling Copilot Autofix for an organization
If Copilot Autofix is allowed at the enterprise level, organization administrators have the option to disable Copilot Autofix for an organization. If you disable Copilot Autofix for an organization, Copilot Autofix cannot be enabled for any repositories within the organization.
Note that disabling Copilot Autofix at the organization level will remove all open Copilot Autofix comments across all repositories in the organization.
- In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
- Next to the organization, click Settings.
- In the "Security" section of the sidebar, click Code security then Global settings.
- Under the "Code scanning" section, deselect Copilot Autofix or Copilot Autofix for third-party tools.
For more information about configuring global code scanning settings, see Configuring global security settings for your organization.
Disabling Copilot Autofix for a repository
If Copilot Autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable Copilot Autofix for a repository. Disabling Copilot Autofix at the repository level will remove all open Copilot Autofix comments across the repository.
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, click Code security.
-
In the "Code scanning" section, deselect Copilot Autofix or Copilot Autofix for third-party tools.