Roll out and enforce CodeQL at scale

Configure CodeQL across repos

Option 1 (highly recommended): Default CodeQL Setup (no-code configuration) can be configured click-button at the Organization level for repositories with supported languages. - In your Security Configuration, you can select the policy "Use as default for newly created repositories" to ensure your configuration auto-applies as you scale and create new repositories.

Option 2: Utilize Advanced CodeQL Setup (using a GitHub Actions workflow configuration) for any languages that require custom build steps, or where you have Default CodeQL Setup failure. Advanced CodeQL Setup can easily be configured in the UI on an individual repo.

For enabling Advanced CodeQL Setup at scale, you can create a single source of truth for the CodeQL configuration for large subsets of repos that require the exact same custom build steps. Manual work is still required on each individual repo, but this saves time and admin effort. Scroll down to the appended section, "Enabling Advanced CodeQL Setup at Scale."

Enforce CodeQL across repos

This takes advantage of Code Scanning Merge Protection (currently in public preview and subject to change), and should work for Default and/or Advanced CodeQL Setup.

  1. Create a new branch ruleset in your Organization

  2. Choose your target repos using one of the following strategies

    • All Repositories*
    • Selecting the repos you want to include by name
    • Use an include or exclude pattern to filter repos by name*
    • Use an include or exclude pattern to filter repos by repo property*

    *Using a dynamic option for selecting repos will help ensure your enforcement auto-applies as you scale and create new repositories

  3. Select the rule "Require code scanning results" and CodeQL should appear in the text box

  4. Configure CodeQL further with the alert threshold (security severity level at which code scanning results block a reference update, like "High or higher")

  5. In addition to CodeQL, you can also require third-party tools to provide code scanning results by clicking "Add tool"

Organization rulesets can also be configured programmatically via API.

 

Appended Section / Special Use Case - Enabling Advanced CodeQL Setup across a subset of repos

  1. Create a new repository/utilize an existing repository to serve as the centralized home for the CodeQL GitHub Action reusable workflow
  2. Optional - Control member access to this repository
  3. Adjust access settings so other repositories can access the workflow
  4. Bring in CodeQL from GitHub Marketplace
    • Repo Settings --> Code Scanning --> New Tool --> Search “CodeQL” --> Configure
  5. Edit the workflow:
  • Replace the following lines with the workflow_call event trigger
# old
on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '22 18 * * 1'

# new
on:
  workflow_call:
  • Under matrix, edit language to include your target language/s
  • Under matrix, change build-mode to "manual"
  • Edit the "run" step to include your custom build steps
  • Commit file to the repo

If you have a second subset of repositories, using different custom build steps, create a second reusable workflow file.

  1. Within each repository in your subset of repositories, create a new GitHub Actions workflow
name: CodeQL
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
jobs:
  codeql:
    uses: #add path to your reusable workflow

If you are interested in a faster way to apply this workflow across a large number of repos, consider an OSS tool like turbolift..