Skip to main content
Warning

Migrations are coming to VA GitHub. See the Migrations section for more information.

Exempting Service Accounts and GitHub Apps

Exempting Code Scanning for Service Accounts and GitHub Apps

Organization Level Ruleset

If your repo uses the organization level ruleset, and you have a Service Account, or a GitHub App, that needs to push directly to your Default branch, such as for tools such as ArgoCD, please open a support ticket in the GitHub User Requests repo and mention you are requesting an exemption, the account or app you want to exempt, and we can individually flag your Service Account or GitHub App as exempt.

Repository Level Ruleset

If your repo uses the repository level ruleset, i.e., you’ve set the repo-level-required-code-scanning custom property to true, you can exempt your Service Account or GitHub App by following the steps below:

For a GitHub App

  • As a repo admin, navigate to your repository’s Settings tab
  • Select Rules from the left navigation
  • Select Rulesets from the dropdown
  • Select the Policy: Require CodeQL ruleset
  • Under Bypass list select + Add bypass
  • Search for your GitHub App
  • Select your GitHub App
  • Click out of the search box
  • Click Save changes at the bottom of the page

For a Service Account

To exempt a Service Account, we must add the Service Account to the Bots organization team. Please open a support ticket in the GitHub User Requests repo and mention you are requesting an exemption for your Service Account from Code Scanning requirement, the username of the Service Account, and we can individually flag your Service Account as exempt.