Skip to main content

5단계: 코드 스캔 롤아웃 및 크기 조정

사용 가능한 API를 활용하고 이전에 수집한 리포지토리 데이터를 사용하여 엔터프라이즈 전체의 팀과 언어별로 프로그래밍 방식으로 code scanning를 롤아웃할 수 있습니다.

This article is part of a series on adopting GitHub Advanced Security at scale. For the previous article in this series, see "Phase 4: Create internal documentation."

You can quickly enable security features at scale with the GitHub-recommended security configuration, a collection of security enablement settings you can apply to repositories in an organization. You can then further customize GitHub Advanced Security features at the organization level with global settings. See "About enabling security features at scale."

Enabling code scanning

After piloting code scanning and creating internal documentation for best practices, you can enable code scanning across your company. You can configure code scanning default setup for all repositories in an organization from security overview. For more information, see "Configuring default setup for code scanning at scale."

For some languages or build systems, you may need to instead configure advanced setup for code scanning to get full coverage of your codebase. However, advanced setup requires significantly more effort to configure, customize, and maintain, so we recommend enabling default setup first.

Building subject matter expertise

To successfully manage and use code scanning across your company, you should build internal subject matter expertise. For default setup for code scanning, one of the most important areas for subject matter experts (SMEs) to understand is interpreting and fixing code scanning alerts. For more information about code scanning alerts, see:

You'll also need SMEs if you need to use advanced setup for code scanning. These SMEs will need knowledge of code scanning alerts, as well as topics like GitHub Actions and customizing code scanning workflows for particular frameworks. For custom configurations of advanced setup, consider running meetings on complicated topics to scale the knowledge of several SMEs at once.

For code scanning alerts from CodeQL analysis, you can use security overview to see how CodeQL is performing in pull requests in repositories across your organization, and to identify repositories where you may need to take action. For more information, see "Viewing metrics for pull request alerts."

With a GitHub Copilot Enterprise license, you can also ask GitHub Copilot Chat for help to better understand code scanning alerts in repositories in your organization. For more information, see "Asking GitHub Copilot questions in GitHub."

For the next article in this series, see "Phase 6: Rollout and scale secret scanning."