| title | shortTitle | intro | permissions | product | redirect_from | versions | type | topics | allowTitleToDifferFromFilename | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configuring advanced setup for code scanning with CodeQL at scale |
CodeQL advanced setup at scale |
You can use a script to configure advanced setup for {% data variables.product.prodname_code_scanning %} for a specific group of repositories in your organization. |
{% data reusables.permissions.security-org-enable %} |
{% data reusables.gated-features.code-scanning %} |
|
|
how_to |
|
true |
About enabling advanced setup for {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %} at scale
If you need to configure a highly customizable {% data variables.product.prodname_code_scanning %} setup for many repositories in your organization, or if repositories in your organization are ineligible for default setup, you can enable {% data variables.product.prodname_code_scanning %} at scale with advanced setup.
To enable advanced setup across multiple repositories, you can write a bulk configuration script. To successfully execute the script, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec %}organization or enterprise{% elsif ghes %}site{% endif %}.
Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see AUTOTITLE.
For repositories that are not eligible for default setup, you can use a bulk configuration script to enable advanced setup across multiple repositories.
- Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment.
- Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see AUTOTITLE.
- Use one of the example scripts or create a custom script to add the workflow to each repository in the group.
- GitHub CLI extension:
advanced-security/gh-add-files - Python example:
Malwarebytes/ghas-clirepository - NodeJS example:
nickliffen/ghas-enablementrepository - PowerShell example:
jhutchings1/Create-ActionsPRsrepository
- GitHub CLI extension:
{% ifversion codeql-model-packs-org %}
{% data reusables.code-scanning.beta-model-packs %}
If your codebase depends on a library or framework that is not recognized by the standard queries in {% data variables.product.prodname_codeql %}, you can extend the {% data variables.product.prodname_codeql %} coverage in your bulk configuration script by specifying published {% data variables.product.prodname_codeql %} model packs. For more information, see AUTOTITLE.
Alternatively, if you do not need granular control over the {% data variables.product.prodname_code_scanning %} configuration for many repositories in your organization, you can quickly and easily configure model packs with {% data variables.product.prodname_code_scanning %} at scale with default setup. For more information, see AUTOTITLE.
{% endif %}