Code scanning can now be easily setup with a few button clicks, and without committing a workflow file to the repository.
Code scanning's new default setup feature automatically finds and sets up the best CodeQL configuration for your repository. This will detect the languages in the repository and enable CodeQL analysis for every pull request and every push to the default branch and any protected branches. Default setup currently supports analysis of JavaScript (including TypeScript), Python, and Ruby code. More languages will be supported soon, and all other languages supported by CodeQL continue to work using a GitHub Actions workflow file.
The new default setup feature is available for CodeQL on repositories that use GitHub Actions. You can use default setup on your repository's "Settings" tab under "Code security and analysis" (accessible by repository admins and security managers).
The options to set up code scanning using an Actions workflow file or through API upload from 3rd party CI/CD systems remain supported and are unchanged. This more advanced setup method can be useful if you need to alter the default configuration, for example to include custom query packs. Default setup configurations can also be converted to advanced setups if your analysis requirements change.
Default setup is currently available at the repository level. We are actively working on future features at the organization level so you can easily set up code scanning at scale across large numbers of repositories.
This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. To learn more, read the documentation on setting up code scanning for a repository.