We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you and customize it to better meet your needs. For more information, see AUTOTITLE.

Your repository is eligible for default setup for {% data variables.product.prodname_code_scanning %} if:

{% data reusables.code-scanning.require-actions-ghcs %}

{% data reusables.repositories.navigate-to-repo %}

{% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} {% data reusables.repositories.code-scanning-enable %}

{% ifversion ghas-products %}

{% else %}

{% endif %}

You will then see a "{% data variables.product.prodname_codeql %} default configuration" dialog summarizing the {% data variables.product.prodname_code_scanning %} configuration automatically created by default setup.

1. Optionally, to customize your {% data variables.product.prodname_code_scanning %} setup, click {% octicon "pencil" aria-hidden="true" aria-label="pencil" %} Edit.

   • To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section.
   • To specify the {% data variables.product.prodname_codeql %} query suite you would like to use, select your preferred query suite in the "Query suites" section.

2. Review the settings for default setup on your repository, then click Enable {% data variables.product.prodname_codeql %}. This will trigger a workflow that tests the new, automatically generated configuration.

   [!NOTE] If you are switching to default setup from advanced setup, you will see a warning informing you that default setup will override existing {% data variables.product.prodname_code_scanning %} configurations. This warning means default setup will disable the existing workflow file and block any {% data variables.product.prodname_codeql %} analysis API uploads.

{% ifversion org-private-registry %}

1. If projects in your repository depend on dependencies in private package registries, you can grant {% data variables.product.prodname_code_scanning %} access to them. This can improve the outcomes and quality of analyses. See AUTOTITLE.

{% endif %} {% ifversion codeql-custom-properties %}

1. Optionally, adjust other configuration options which affect default setup. See AUTOTITLE.

{% endif %}

1. Optionally, to view your default setup configuration after enablement, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" aria-label="gear" %} View {% data variables.product.prodname_codeql %} configuration.

{% ifversion fpt or ghec %}

You can use default setup for all {% data variables.product.prodname_codeql %}-supported languages on self-hosted runners or {% data variables.product.prodname_dotcom %}-hosted runners.

{% else %}

{% endif %}

[!NOTE]{% data variables.product.prodname_code_scanning_caps %} sees assigned runners when default setup is enabled. If a runner is assigned to a repository that is already running default setup, you must disable and re-enable default setup to start using the runner. If you add a runner and want to start using it, you can change the configuration manually without needing to disable and re-enable default setup.

To assign a self-hosted runner for default setup, you can use {% ifversion code-scanning-default-setup-customize-labels %}the default code-scanning label, or you can optionally give them custom labels so that individual repositories can use different runners.{% else %}the code-scanning label.{% endif %} For information about assigning labels to self-hosted runners, see AUTOTITLE.

Once you've assigned custom labels to self-hosted runners, your repositories can use those runners for {% data variables.product.prodname_code_scanning %} default setup.

{% ifversion security-configurations %} You can also use {% data variables.product.prodname_security_configurations %} to assign labels to self-hosted runners for {% data variables.product.prodname_code_scanning %}. See AUTOTITLE. {% endif %}

{% ifversion fpt or ghec %}

To assign a {% data variables.actions.hosted_runner %}, name the runner code-scanning. This will automatically add the code-scanning label to the {% data variables.actions.hosted_runner %}. An organization can only have one {% data variables.actions.hosted_runner %} with the code-scanning label, and that runner will handle all {% data variables.product.prodname_code_scanning %} jobs from repositories within your organization with access to the runner's group. See AUTOTITLE.

{% endif %}

Default setup uses the none build mode for {% data variables.code-scanning.no_build_support %} and uses the autobuild build mode for other compiled languages. You should configure your self-hosted runners to make sure they can run all the necessary commands for C/C++, C#, and Swift analysis. Analysis of JavaScript/TypeScript, Go, Ruby, Python, and Kotlin code does not currently require special configuration.

After your configuration runs successfully at least once, you can start examining and resolving {% data variables.product.prodname_code_scanning %} alerts. For more information on {% data variables.product.prodname_code_scanning %} alerts, see AUTOTITLE and AUTOTITLE.

After you've configured default setup for {% data variables.product.prodname_code_scanning %}, you can read about evaluating how it's working for you and the next steps you can take to customize it. For more information, see AUTOTITLE.

You can find detailed information about your {% data variables.product.prodname_code_scanning %} configuration, including timestamps for each scan and the percentage of files scanned, on the tool status page. For more information, see AUTOTITLE.

When you configure default setup, you may encounter an error. For information on troubleshooting specific errors, see AUTOTITLE.