配置代码扫描的默认设置

本文内容

可以使用 code scanning 的默认设置快速保护存储库中的代码。

谁可以使用此功能

People with admin permissions to a repository, or the security manager role for the repository, can configure code scanning for that repository.

Code scanning 可用于 GitHub.com 上的所有公共存储库。 Code scanning 也可用于使用 GitHub Enterprise Cloud 并拥有 GitHub Advanced Security 许可证的组织所拥有的专用存储库。 有关详细信息,请参阅“关于 GitHub 高级安全性”。

About default setup

Default setup for code scanning is the quickest, easiest, most low-maintenance way to enable code scanning for your repository. Based on the code in your repository, default setup will automatically create a custom code scanning configuration. After enabling default setup, the code in your repository will be scanned:

  • on each push to the repository's default branch, or any protected branch. For more information on protected branches, see "About protected branches."
  • when creating or committing to a pull request based against the repository's default branch, or any protected branch.
  • on a weekly schedule.

Note: If no pushes and pull requests have occured in a repository for 60 days, the weekly schedule will be disabled to save your GitHub Actions minutes.

You can enable the automatically selected configuration of default setup to start scanning your code as soon as possible, or you can customize aspects of the configuration to better meet your code scanning needs. If you choose to customize the configuration yourself, you can select:

  • the languages default setup will analyze.
  • the query suite default setup will run. For more information, see "Built-in CodeQL query suites."

You can also enable default setup for multiple or all repositories in an organization at the same time. For information on bulk enablement, see "Configuring default setup for code scanning at scale."

If you need more granular control over your code scanning configuration, you should instead configure advanced setup. For more information, see "Configuring advanced setup for code scanning."

Requirements for using default setup

Your repository is eligible for default setup for code scanning if:

  • it includes at least one CodeQL-supported language.
  • GitHub Actions are enabled.
  • it is publicly visible.

You can use default setup if your repository includes languages that aren't supported by CodeQL, such as R. For more information on CodeQL-supported languages, see "About code scanning with CodeQL."

About adding non-compiled and compiled languages to your default setup

If the code in a repository changes to include Go, JavaScript/TypeScript, Python, or Ruby, GitHub will automatically update the code scanning configuration to include the new language. If code scanning fails with the new configuration, GitHub will resume the previous configuration automatically so the repository does not lose code scanning coverage.

Compiled languages are not automatically included in default setup configuration because they often require more advanced configuration, but you can manually select any CodeQL-supported compiled language for analysis.

Configuring default setup for a repository

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings. Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. In the "Code scanning" section, select Set up , then click Default.

    Screenshot of the "Code scanning" section of "Code security and analysis" settings. The "Default setup" button is highlighted with an orange outline.

    You will then see a "CodeQL default configuration" dialog summarizing the code scanning configuration automatically created by default setup.

    Note: If your repository contains only compiled CodeQL-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration.

  5. Optionally, to customize your code scanning setup, click Edit.

    • To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section. If you would like to analyze a CodeQL-supported compiled language with default setup, select that language here.
    • To specify the CodeQL query suite you would like to use, select your preferred query suite in the "Query suites" section.

  6. Review the settings for default setup on your repository, then click Enable CodeQL. This will trigger a workflow that tests the new, automatically generated configuration.

    Note: If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing code scanning configurations. This warning means default setup will disable the existing workflow file and block any CodeQL analysis API uploads.

  7. Optionally, to view your default setup configuration after enablement, select , then click View CodeQL configuration.

Next steps

After you configure default setup for code scanning, and your configuration runs successfully at least once, you can start examining and resolving code scanning alerts. For more information on code scanning alerts, see "About code scanning alerts" and "Managing code scanning alerts for your repository."

You can find detailed information about your code scanning configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see "About the tool status page for code scanning."

When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see "Troubleshooting code scanning."