Skip to main content

此版本的 GitHub Enterprise Server 已于以下日期停止服务 2024-09-25. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

配置大规模代码扫描的默认设置

可以使用默认设置为整个组织的存储库快速配置 code scanning。

谁可以使用此功能?

具有管理员角色的组织所有者、安全管理员和组织成员

启用了 GitHub Advanced Security 的组织拥有的存储库

About configuring default setup at scale

With default setup for code scanning, you can quickly secure code in repositories across your organization.

You can enable code scanning for all repositories in your organization that are eligible for default setup. After enabling default setup, the code written in CodeQL-supported languages in repositories in the organization will be scanned:

  • On each push to the repository's default branch, or any protected branch. For more information on protected branches, see "About protected branches."
  • When creating or committing to a pull request based against the repository's default branch, or any protected branch, excluding pull requests from forks.

For more information, see "Configuring default setup for all eligible repositories in an organization."

You can also use security overview to find a set of repositories in your organization and enable or disable default setup for all of them at the same time. For more information, see "Configuring default setup for a subset of repositories in an organization."

You can also create different default setup configurations for individual repositories. For more information on configuring default setup at the repository level, see "Configuring default setup for code scanning."

For repositories that are not eligible for default setup, you can configure advanced setup at the repository level, or at the organization level using a script. For more information, see "Configuring advanced setup for code scanning with CodeQL at scale."

Eligible repositories for CodeQL default setup at scale

Note

The ability to enable and disable default setup for code scanning for eligible repositories in an organization is currently in beta and subject to change.

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced setup.

  • Advanced setup for code scanning is not already enabled.
  • GitHub Actions are enabled.
  • Uses Go, JavaScript/TypeScript, Python, or Ruby.
  • GitHub Advanced Security is enabled.

Note

Configuring default setup for all repositories in an organization through your organization's settings page will not override existing configurations of default setup. However, configuring default setup on a subset of repositories in an organization through security overview will override existing configurations of default setup on those repositories.

Configuring default setup for all eligible repositories in an organization

Through the "Code security and analysis" page of your organization's settings, you can enable default setup for all eligible repositories in your organization. For more information on repository eligibility, see "Eligible repositories for CodeQL default setup at scale."

Note

The ability to enable and disable default setup for code scanning for eligible repositories in an organization is currently in beta and subject to change.

  1. In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
  2. Next to the organization, click Settings.
  3. In the "Security" section of the sidebar, click Code security and analysis.
  4. Click Enable all next to "Code scanning".
  5. In the "Enable code scanning for eligible repositories" dialog box displayed, click Enable for eligible repositories to enable your configuration of default setup.

Note

  • If you disable CodeQL code scanning for all repositories this change is not reflected in the coverage information shown in security overview for the organization. The repositories will still appear to have code scanning enabled in the "Security Coverage" view.
  • Enabling code scanning for all eligible repositories in an organization will not override existing code scanning configurations. For information on configuring default setup with different settings for specific repositories, see "Configuring default setup for code scanning" and "Configuring default setup for a subset of repositories in an organization."

Configuring default setup for a subset of repositories in an organization

Through security overview for your organization, you can find eligible repositories for default setup, then enable default setup across each of those repositories simultaneously. For more information on repository eligibility, see "Eligible repositories for CodeQL default setup at scale."

Finding repositories that are eligible for default setup

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the sidebar, click Coverage to display the "Security coverage" view.

    Screenshot of the "Security coverage" view.

  4. In the search bar, enter one of the following queries:

    • code-scanning-default-setup:eligible advanced-security:enabled shows which repositories can be added to default setup immediately.
    • code-scanning-default-setup:eligible advanced-security:not-enabled shows which repositories have languages suitable for default setup but do not have GitHub Advanced Security enabled. Once you enable GitHub Advanced Security for these repositories, they can also be added to default setup.
    • code-scanning-default-setup:not-eligible shows repositories that are ineligible for default setup enablement at scale for any of the following reasons:
      • The repositories already have existing configurations of advanced setup.
      • The repositories only contain languages that cannot be analyzed by default setup.
      • The repositories do not have GitHub Advanced Security enabled.

You can select all of the displayed repositories, or a subset of them, and enable or disable default setup for code scanning for them all at the same time. For more information, see step 5 of "Configuring default setup at scale for multiple repositories in an organization."

Configuring default setup at scale for multiple repositories in an organization

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Security.

    Screenshot of the horizontal navigation bar for an organization. A tab, labeled with a shield icon and "Security," is outlined in dark orange.

  3. In the sidebar, click Coverage to display the "Security coverage" view.

    Screenshot of the "Security coverage" view.

  4. You can use the search bar to narrow down visible repositories in the "Security coverage" view based on name, or on the enablement status of security features. For example, to filter for repositories that are eligible for default setup and do not currently have default setup enabled, search for code-scanning-default-setup:eligible.

  5. In the list of repositories, select each repository you want to enable code scanning for.

    • To enable code scanning for all repositories on the page, select the checkbox next to NUMBER Active.
    • To enable code scanning for all repositories that match the current search, select the checkbox next to NUMBER Active, then click Select all NUMBER repos.
  6. Click Security settings next to NUMBER selected.

  7. In the side panel, in the "CodeQL Default Setup" section, select No change, then click Enable.

  8. To confirm the enablement of code scanning for the selected repositories, click Apply changes NUMBER. Alternatively, to select or deselect more repositories for code scanning enablement, click to close the panel without applying your changes.

Note

Enabling code scanning for multiple repositories in an organization using security overview will override any existing code scanning configurations for the selected repositories, including any previous query suite selections and workflows for advanced setups.

Screenshot of the "Security coverage" view with the side panel open. The "Apply changes" button is highlighted in a dark orange outline.

If you're blocked from enabling code scanning due to an enterprise policy, you will still be able to see the affected repository in the "Security Coverage" view and access the side panel from the Security settings button. However, you will see a message in the side panel indicating that you cannot enable code scanning for the selected repositories. For more information about enterprise policies, see "Enforcing policies for code security and analysis for your enterprise."