Skip to main content
我们经常发布文档更新,此页面的翻译可能仍在进行中。 有关最新信息,请访问英语文档
All products
代码安全

Configuring code scanning at scale using CodeQL

本文内容

You can configure code scanning for eligible repositories in your organization using default setup for CodeQL or use a script to configure advanced setup for a specific group of repositories.

可用于 GitHub.com 上的所有公共存储库。 也可用于使用 GitHub Enterprise Cloud 并拥有 GitHub Advanced Security 许可证的组织所拥有的专用存储库。 有关详细信息,请参阅“关于 GitHub 高级安全性”。

About configuring code scanning in multiple repositories

There are two ways to configure code scanning in multiple repositories at the same time. The best method to use depends on the analysis needs of the repositories.

  1. The repositories are eligible for default setup for CodeQL and owned by an organization.
  2. The group of repositories has similar configuration needs for CodeQL advanced setup.

In addition, GitHub Actions must be enabled for the organization.

Eligible repositories for CodeQL default setup

Note: The ability to enable and disable default set up for code scanning for eligible repositories in an organization is currently in beta and subject to change. During the beta release, if you disable CodeQL code scanning for all repositories this change will not be reflected in the coverage information shown in security overview for the organization. The repositories will still appear to have code scanning enabled in this view.

You can use the organization settings page for "Code security and analysis" to enable code scanning for any repositories in the organization that are eligible for CodeQL default setup.

Eligibility criteria for organization-level enablement

A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced set up.

  • Code scanning is not already enabled.
  • GitHub Actions are enabled.
  • Uses JavaScript/TypeScript, Python, or Ruby.
  • Does not use any other languages supported by CodeQL, but may include other languages, such as R. For more information on CodeQL-supported languages, see "关于使用 CodeQL 进行代码扫描."
  • Publicly visible.

For more information about default setup, see "为存储库配置代码扫描." For information on editing security and analysis settings for an organization, see "管理组织的安全和分析设置."

Using a script to configure advanced setup

For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories.

  1. Identify a group of repositories that can be analyzed using the same code scanning configuration. For example, all repositories that build Java artifacts using the production environment.
  2. Create and test a GitHub Actions workflow to call the CodeQL action with the appropriate configuration. For more information, see "为存储库配置代码扫描."
  3. Use one of the example scripts create a custom script to add the workflow to each repository in the group.