Skip to main content

Editing your configuration of default setup

You can edit your existing configuration of default setup for code scanning to better meet your code security needs.

Who can use this feature?

Organization owners, security managers, and organization members with the admin role

About editing your configuration of default setup

After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit:

  • Which languages default setup will analyze.
  • The query suite run during analysis. For more information on the available query suites, see "CodeQL query suites."
  • The threat models (public preview) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the public preview, threat models are supported only for analysis of Java/Kotlin and C#. For more information about threat models, see "Including local sources of tainted data in default setup."

If your codebase depends on a library or framework that is not recognized by the standard libraries included with CodeQL, you can also extend the CodeQL coverage in default setup using CodeQL model packs. For more information, see "Extending CodeQL coverage with CodeQL model packs in default setup."

If you need to change any other aspects of your code scanning configuration, consider configuring advanced setup. For more information, see "Configuring advanced setup for code scanning."

Customizing your existing configuration of default setup

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. In the "CodeQL analysis" row of the "Code scanning" section, select , then click View CodeQL configuration.

  5. In the "CodeQL default configuration" window, click Edit.

  6. Optionally, in the "Languages" section, select or deselect languages for analysis.

  7. Optionally, in the "Query suite" row of the "Scan settings" section, select a different query suite to run against your code.

  8. (Public preview) Optionally, in the "Threat model" row of the "Scan settings" section, select Remote and local sources.

  9. To update your configuration, as well as run an initial analysis of your code with the new configuration, click Save changes. All future analyses will use your new configuration.

Defining the alert severities that cause a check failure for a pull request

You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:

  • A required tool found a code scanning alert of a severity that is defined in a ruleset.

  • A required code scanning tool's analysis is still in progress.

  • A required code scanning tool is not configured for the repository.

For more information, see "Set code scanning merge protection." For more general information about rulesets, see "About rulesets."

Including local sources of tainted data in default setup

Note

Threat models are currently in public preview and subject to change. During the public preview, threat models are supported only by analysis for Java/Kotlin and C#.

If your codebase only considers remote network requests to be potential sources of tainted data, then we recommend using the default threat model. If your codebase considers sources other than network requests to potentially contain tainted data, then you can use threat models to add these additional sources to your CodeQL analysis. During the public preview, you can add local sources (for example: command-line arguments, environment variables, file systems, and databases) that your codebase may consider to be additional sources of tainted data.

You can edit the threat model used in a default setup configuration. For more information, see "Customizing your existing configuration of default setup."

Extending CodeQL coverage with CodeQL model packs in default setup

Note

CodeQL model packs and the CodeQL model editor are currently in public preview and subject to change. Model packs are supported by C#, Java/Kotlin, Python, and Ruby analysis.

If your enterprise is hosted on GitHub.com and you use frameworks and libraries that are not recognized by the standard libraries included with CodeQL, you can model your dependencies and extend code scanning analysis. For more information, see Supported languages and frameworks in the documentation for CodeQL.

For default setup, you need to define the models of your additional dependencies in CodeQL model packs. You can extend coverage in default setup with CodeQL model packs for individual repositories, or at scale for all repositories in an organization.

For more information about CodeQL model packs and writing your own, see "Using the CodeQL model editor."

Extending coverage for a repository

  1. In the .github/codeql/extensions directory of the repository, copy the model pack directory which should include a codeql-pack.yml file and any .yml files containing additional models for the libraries or frameworks you wish to include in your analysis.
  2. The model packs will be automatically detected and used in your code scanning analysis.
  3. If you later change your configuration to use advanced setup, any model packs in the .github/codeql/extensions directory will still be recognized and used.

Extending coverage for all repositories in an organization

Note

If you extend coverage with CodeQL model packs for all repositories in an organization, the model packs that you specify must be published to the GitHub Container registry and be accessible to the repositories that run code scanning. For more information, see "Working with the Container registry."

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. Click Code security then Global settings.

  4. Find the "Code scanning" section.

  5. Next to "Expand CodeQL analysis", click Configure.

  6. Enter references to the published model packs you want to use, one per line, then click Save.

    Screenshot of the "Expand CodeQL analysis" view" in the settings for an organization.

  7. The model packs will be automatically detected and used when code scanning runs on any repository in the organization with default setup enabled.