Default setup: A new way to enable GitHub code scanning
Default setup is a new way to automatically set up code scanning on your repository, without the use of a .yaml file.
At GitHub, we want to make it easy to develop secure software. This means building security tools that provide a frictionless experience for developers and that begins with enablement. To that end, we already offer the enablement of secret scanning and Dependabot in just one click.
Today we’re extending these capabilities with a new setup option for code scanning, “default setup,” a way for you to automatically enable code scanning on your repository.
Default setup simplifies getting started with code scanning on Python, JavaScript, and Ruby repositories. You can now enable code scanning in just a few clicks and without using a .yaml file, helping open source developers and enterprises streamline code scanning setup so they can secure more of their software. Once enabled, you’ll immediately start getting insights from code scanning in your code to help you find and fix vulnerabilities quickly without disrupting your workflow.
We are working hard to make this experience available for all languages supported by the CodeQL analysis engine. We will continue rolling out support for new languages based on popularity and build complexity over the next six months.
How to get started
You can start by navigating to “Code security and analysis” under the “Security” heading in the “Settings” tab of your repository.
Here you’ll now see the new code scanning setup toolbox. In the toolbox, click the “Set up” button and you’ll be presented with two options. The first is “Default,” which automatically sets up code scanning without a .yaml file and the second is “Advanced,” which allows you to customize your code scanning set up with a .yaml file. If the repository doesn’t support default setup, the option will be grayed out.
When you click on “Default,” you’ll automatically see a tailored configuration summary based on the contents of the repository. This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable.
After reviewing the configuration, you click “Enable CodeQL” and code scanning will automatically run on the repository. It’s that simple!
We hope you’ll try out this new feature the next time you set up code scanning on a repository. For more information on setting up code scanning, please refer to our documentation.
Learn more about GitHub security solutions
GitHub is committed to helping build safer and more secure software without compromising on the developer experience. To learn more or enable GitHub’s security features in repositories, check out the getting started guide.
Tags:
Written by
Related posts
Enhance build security and reach SLSA Level 3 with GitHub Artifact Attestations
Learn how GitHub Artifact Attestations can enhance your build security and help your organization achieve SLSA Level 3. This post breaks down the basics of SLSA, explains the importance of artifact attestations, and provides a step-by-step guide to securing your build process.
Streamlining your MLOps pipeline with GitHub Actions and Arm64 runners
Explore how Arm’s optimized performance and cost-efficient architecture, coupled with PyTorch, can enhance machine learning operations, from model training to deployment and learn how to leverage CI/CD for machine learning workflows, while reducing time, cost, and errors in the process.
GitHub Enterprise: The best migration path from AWS CodeCommit
AWS CodeCommit is discontinuing new customer access and will no longer introduce new features. Learn how to migrate to GitHub Enterprise and why it’s the best option for you.