Configuring advanced setup for code scanning with CodeQL at scale

Establish a highly customizable code scanning setup at scale with a script.

Who can use this feature?

Organization owners, security managers, and organization members with the admin role

Code scanning is available for the following repository types:

  • Public repositories on GitHub.com
  • Organization-owned repositories on GitHub Team, GitHub Enterprise Cloud, or GitHub Enterprise Server, with GitHub Code Security enabled.

In this article

Using a script to enable advanced setup

For repositories that are not eligible for default setup, you can use a bulk configuration script to enable advanced setup across multiple repositories.

Note

To successfully execute the script, GitHub Actions must be enabled for the organization or enterprise.

  1. Identify a group of repositories that can be analyzed using the same code scanning configuration. For example, all repositories that build Java artifacts using the production environment.
  2. Create and test a GitHub Actions workflow to call the CodeQL action with the appropriate configuration. For more information, see Configuring advanced setup for code scanning.
  3. Use one of the example scripts or create a custom script to add the workflow to each repository in the group.

Next steps

Note

CodeQL model packs are currently in public preview and subject to change. Model packs are supported for C/C++, C#, Java/Kotlin, Python, Ruby, and Rust analysis.

The CodeQL model editor in the CodeQL extension for Visual Studio Code supports modeling dependencies for C#, Java/Kotlin, Python, and Ruby.

If your codebase depends on a library or framework that is not recognized by the standard queries in CodeQL, you can extend the CodeQL coverage in your bulk configuration script by specifying published CodeQL model packs. For more information, see Customizing your advanced setup for code scanning.