Organizations using GitHub security configurations can now choose to require CodeQL to run on repositories using either default or advanced setup. Previously, if a repository was using advanced setup, you couldn’t apply a security configuration that required CodeQL, which limited your ability to enforce other security settings.

When creating a security configuration at the organization or enterprise level, you’ll now see an additional option, Enabled with advanced setup allowed.

Screenshot of security configuration page with the Enabled with advanced setup allowed option

With this update, you can:

  • Configure your security settings to permit CodeQL to run in either default or advanced mode.
  • Start with default setup and allow repository owners to switch to advanced setup when needed, even if enforcement is enabled.
  • Apply and enforce configurations on repositories using CodeQL advanced setup.

If a repository with an applied configuration stops running advanced setup, we’ll show a status alert at the repository level, but we won’t automatically detach the configuration. Enforced configurations that only require default setup will continue to prevent repositories from disabling default setup or switching to advanced setup.

What’s not changing

  • You can’t apply a configuration that requires default setup to a repository running advanced setup.
  • We aren’t changing the behavior when applying a configuration that requires default setup to a repository which doesn’t meet the preconditions for it (e.g., if GitHub Actions is disabled).

For more details, see our documentation.