Configuring default setup for code scanning

Quickly set up code scanning to find and fix vulnerable code automatically.

谁可以使用此功能?

具有管理员角色的存储库所有者、组织所有者、安全管理员和用户

Code scanning 可用于以下存储库类型:

  • GitHub.com 上的公共存储库
  • GitHub Team、GitHub Enterprise Cloud 或 GitHub Enterprise Server 上的组织拥有的存储库,已启用 GitHub Code Security

在本文中

We recommend that you start using code scanning with default setup. After you've initially configured default setup, you can evaluate code scanning to see how it's working for you and customize it to better meet your needs. For more information, see 关于代码扫描的设置类型.

Prerequisites

Your repository is eligible for default setup for code scanning if:

  • 已启用 GitHub Actions。
  • 它公开可见,或已启用 GitHub Code Security。

Configuring default setup for a repository

注意

If the analyses fail for all CodeQL-supported languages in a repository, default setup will still be enabled, but it will not run any scans or use any GitHub Actions minutes until another CodeQL-supported language is added to the repository or default setup is manually reconfigured, and the analysis of a CodeQL-supported language succeeds.

  1. 在 GitHub 上,导航到存储库的主页面。

    注意

    If you are configuring default setup on a fork, you must first enable GitHub Actions. To enable GitHub Actions, under your repository name, click Actions, then click I understand my workflows, go ahead and enable them. Be aware that this will enable all existing workflows on your fork.

  2. 在仓库名称下,单击 “Settings”****。 如果看不到“设置”选项卡,请选择“”下拉菜单,然后单击“设置”。

    存储库标头的屏幕截图,其中显示了选项卡。 “设置”选项卡以深橙色边框突出显示。

  3. 在边栏的“Security”部分中,单击“ Advanced Security”****。

  4. 在“Code Security”下,“CodeQL analysis”右侧,选择“Set up”,然后单击“Default”。********

    Screenshot of the "Code scanning" section of "Advanced Security" settings. The "Default setup" button is highlighted with an orange outline.

    You will then see a "CodeQL default configuration" dialog summarizing the code scanning configuration automatically created by default setup.

  5. Optionally, to customize your code scanning setup, click Edit.

    • To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section.
    • To specify the CodeQL query suite you would like to use, select your preferred query suite in the "Query suites" section.

  6. Review the settings for default setup on your repository, then click Enable CodeQL. This will trigger a workflow that tests the new, automatically generated configuration.

    注意

    If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing code scanning configurations. This warning means default setup will disable the existing workflow file and block any CodeQL analysis API uploads.

  7. If projects in your repository depend on dependencies in private package registries, you can grant code scanning access to them. This can improve the outcomes and quality of analyses. See 授予安全功能访问专用注册表的权限.

  8. Optionally, adjust other configuration options which affect default setup. See code scanning 的存储库属性.

  9. Optionally, to view your default setup configuration after enablement, select , then click View CodeQL configuration.

注意

If no pushes and pull requests have occurred in a repository with default setup enabled for 6 months, the weekly schedule will be disabled to save your GitHub Actions minutes.

Running default setup on self-hosted or 大型运行器

You can use default setup for all CodeQL-supported languages on self-hosted runners or GitHub-hosted runners.

注意

Code scanning sees assigned runners when default setup is enabled. If a runner is assigned to a repository that is already running default setup, you must disable and re-enable default setup to start using the runner. If you add a runner and want to start using it, you can change the configuration manually without needing to disable and re-enable default setup.

Assigning labels to self-hosted runners

To assign a self-hosted runner for default setup, you can use the default code-scanning label, or you can optionally give them custom labels so that individual repositories can use different runners. For information about assigning labels to self-hosted runners, see 将标签与自托管运行程序结合使用.

Once you've assigned custom labels to self-hosted runners, your repositories can use those runners for code scanning default setup.

You can also use security configurations to assign labels to self-hosted runners for code scanning. See 删除自定义安全配置.

Assigning 大型运行器

To assign a 大型运行器, name the runner code-scanning. This will automatically add the code-scanning label to the 大型运行器. An organization can only have one 大型运行器 with the code-scanning label, and that runner will handle all code scanning jobs from repositories within your organization with access to the runner's group. See Configuring larger runners for default setup.

Ensuring build support

Default setup uses the none build mode for C/C++、C#, Java 和 Rust and uses the autobuild build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.

Next steps

After your configuration runs successfully at least once, you can start examining and resolving code scanning alerts. For more information on code scanning alerts, see 关于代码扫描警报 and 访问存储库的代码扫描警报.

After you've configured default setup for code scanning, you can read about evaluating how it's working for you and the next steps you can take to customize it. For more information, see 评估代码扫描的默认设置.

You can find detailed information about your code scanning configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see Use the tool status page for code scanning.

When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see 代码扫描分析错误疑难解答.