Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Code Scanning Policy

What is the current Code Scanning policy?

The current Code Scanning policy is as follows:

  • All repositories with supported languages must be configured to use CodeQL on all pull requests to the default branch
  • Any new vulnerabilities found during the pull request CodeQL scan of severity “High” or “Critical” must be remediated before the pull request can be merged
  • All vulnerabilities dismissed without remediation must be dismissed with a valid reason and justification

How is the VA enforcing this policy?

The VA enforces this policy through Repository Rulesets. A Repository Ruleset is a collection of rules that are applied to a repository to enforce specific policies. The VA has created a Repository Ruleset called Policy: Require CodeQL that enforces the Code Scanning policy. This ruleset is automatically applied to all repositories with supported languages.

Required Pull Request Reviews

The VA has configured Required Reviews for Pull Requests at the organization level. These rules cannot be modified by repository administrators.

Urgent Changes or Intentionally Introduced Vulnerabilities

In exceptional circumstances where:

  • You have an urgent change that cannot be delayed, or
  • You need to intentionally introduce a vulnerability (e.g., for testing purposes)

You may dismiss the alert in your pull request. This should be used as a last resort and requires:

  1. A detailed justification when dismissing the alert
  2. Documentation of why the standard remediation process cannot be followed

For technical instructions, refer to the GitHub Documentation on dismissing alerts.

The GitHub Admin team monitors all dismissed alerts and provides monthly reports to VA leadership for oversight.

Code Scanning Exemptions

If you believe your repository should be exempt from the Code Scanning policy, you can request an exemption by following the steps outlined in the Requesting Exemption page.

Remediating CodeQL Findings

For detailed guidance on addressing CodeQL findings, please refer to:

  1. Triaging Code Scanning Alerts
  2. Best Practices for Remediation