Code scanning's default query suite has been carefully designed to ensure that it looks for the security issues most relevant to developers, whilst also minimizing the occurrence of false positive results. However, if you and your developers are interested in seeing a wider range of alerts, you can enable the extended query suite. This suite includes everything from the default query suite, plus additional queries with slightly lower precision and severity.
The query suite selection can be made whenever you enable code scanning with default setup:
- When using "Enable all" on the organization settings page.
- When enabling a single or multiple repositories on the security coverage page.
- When enabling on a repository's settings page.
- When using the "Enable or disable a security feature for an organization" endpoint.
Previously, our system would automatically choose the default query suite when you enabled code scanning with default setup. Now, you can choose either the extended or default query suite.
Additionally, you can specify either the extended or default query suite as the preferred choice for your organization. This preference determines which query suite is "recommended" when a user is enabling code scanning setup with default setup.
These improvements have shipped to GitHub.com and will be available in GitHub Enterprise Server 3.11.