You now have the option to select either the "Extended" or "Default" query suite when setting up code scanning with default setup for eligible repositories within your organization.

The multi-repo enablement panel on the security coverage page with a focus on code scanning enablement and the new query suite selection menu

Code scanning's default query suite has been carefully designed to ensure that it looks for the security issues most relevant to developers, whilst also minimizing the occurrence of false positive results. However, if you and your developers are interested in seeing a wider range of alerts, you can enable the extended query suite. This suite includes everything from the default query suite, plus additional queries with slightly lower precision and severity.

Choose a query suite

The query suite selection can be made whenever you enable code scanning with default setup:

  • When using "Enable all" on the organization settings page.
  • When enabling a single or multiple repositories on the security coverage page.
  • When enabling on a repository's settings page.
  • When using the "Enable or disable a security feature for an organization" endpoint.

Previously, our system would automatically choose the default query suite when you enabled code scanning with default setup. Now, you can choose either the extended or default query suite.

Recommend a query suite

Additionally, you can specify either the extended or default query suite as the preferred choice for your organization. This preference determines which query suite is "recommended" when a user is enabling code scanning setup with default setup.

The recommended setting for code scanning query suites and the resulting recommended tag on the organization settings page

These improvements have shipped to and will be available in GitHub Enterprise Server 3.11.

Learn more about configuring default setup for code scanning and send us your feedback
Learn more about GitHub Advanced Security