Default setup: A new way to enable GitHub code scanning

Default setup is a new way to automatically set up code scanning on your repository, without the use of a .yaml file.

|
| 3 minutes

At GitHub, we want to make it easy to develop secure software. This means building security tools that provide a frictionless experience for developers and that begins with enablement. To that end, we already offer the enablement of secret scanning and Dependabot in just one click.

Today we’re extending these capabilities with a new setup option for code scanning, “default setup,” a way for you to automatically enable code scanning on your repository.

Default setup simplifies getting started with code scanning on Python, JavaScript, and Ruby repositories. You can now enable code scanning in just a few clicks and without using a .yaml file, helping open source developers and enterprises streamline code scanning setup so they can secure more of their software. Once enabled, you’ll immediately start getting insights from code scanning in your code to help you find and fix vulnerabilities quickly without disrupting your workflow.

We are working hard to make this experience available for all languages supported by the CodeQL analysis engine. We will continue rolling out support for new languages based on popularity and build complexity over the next six months.

How to get started

You can start by navigating to “Code security and analysis” under the “Security” heading in the “Settings” tab of your repository.

Here you’ll now see the new code scanning setup toolbox. In the toolbox, click the “Set up” button and you’ll be presented with two options. The first is “Default,” which automatically sets up code scanning without a .yaml file and the second is “Advanced,” which allows you to customize your code scanning set up with a .yaml file. If the repository doesn’t support default setup, the option will be grayed out.

When you click on “Default,” you’ll automatically see a tailored configuration summary based on the contents of the repository. This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable.

After reviewing the configuration, you click “Enable CodeQL” and code scanning will automatically run on the repository. It’s that simple!

We hope you’ll try out this new feature the next time you set up code scanning on a repository. For more information on setting up code scanning, please refer to our documentation.

Learn more about GitHub security solutions

GitHub is committed to helping build safer and more secure software without compromising on the developer experience. To learn more or enable GitHub’s security features in repositories, check out the getting started guide.

Related posts