Default setup is a new way to automatically set up code scanning on your repository, without the use of a .yaml file.
At GitHub, we want to make it easy to develop secure software. This means building security tools that provide a frictionless experience for developers and that begins with enablement. To that end, we already offer the enablement of secret scanning and Dependabot in just one click.
Today we’re extending these capabilities with a new setup option for code scanning, “default setup,” a way for you to automatically enable code scanning on your repository.
Default setup simplifies getting started with code scanning on Python, JavaScript, and Ruby repositories. You can now enable code scanning in just a few clicks and without using a .yaml file, helping open source developers and enterprises streamline code scanning setup so they can secure more of their software. Once enabled, you’ll immediately start getting insights from code scanning in your code to help you find and fix vulnerabilities quickly without disrupting your workflow.
We are working hard to make this experience available for all languages supported by the CodeQL analysis engine. We will continue rolling out support for new languages based on popularity and build complexity over the next six months.
You can start by navigating to “Code security and analysis” under the “Security” heading in the “Settings” tab of your repository.
Here you’ll now see the new code scanning setup toolbox. In the toolbox, click the “Set up” button and you’ll be presented with two options. The first is “Default,” which automatically sets up code scanning without a .yaml file and the second is “Advanced,” which allows you to customize your code scanning set up with a .yaml file. If the repository doesn’t support default setup, the option will be grayed out.
When you click on “Default,” you’ll automatically see a tailored configuration summary based on the contents of the repository. This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable.
After reviewing the configuration, you click “Enable CodeQL” and code scanning will automatically run on the repository. It’s that simple!
We hope you’ll try out this new feature the next time you set up code scanning on a repository. For more information on setting up code scanning, please refer to our documentation.
GitHub is committed to helping build safer and more secure software without compromising on the developer experience. To learn more or enable GitHub’s security features in repositories, check out the getting started guide.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.
With push protection now enabled by default, GitHub helps open source developers safeguard their secrets, and their reputations.
Walker Chabbott 
