Exempting Code Scanning for Service Accounts and GitHub Apps
Organization Level Ruleset
If your repo uses the organization level ruleset, and you have a Service Account, or a GitHub App, that needs to push directly to your Default branch, such as for tools such as ArgoCD, please open a support ticket in the GitHub User Requests repo and mention you are requesting an exemption, the account or app you want to exempt, and we can individually flag your Service Account or GitHub App as exempt.
Repository Level Ruleset
If your repo uses the repository level ruleset, i.e., you’ve set the repo-level-required-code-scanning
custom property
to true
, you can exempt your Service Account or GitHub App by following the steps below:
For a GitHub App
- As a repo admin, navigate to your repository’s
Settings
tab - Select
Rules
from the left navigation - Select
Rulesets
from the dropdown - Select the
Policy: Require CodeQL
ruleset - Under
Bypass list
select+ Add bypass
- Search for your GitHub App
- Select your GitHub App
- Click out of the search box
- Click
Save changes
at the bottom of the page
For a Service Account
To exempt a Service Account, we must add the Service Account to the Bots
organization team. Please open a support
ticket in the GitHub User Requests
repo and mention you are requesting an exemption for your Service Account from Code Scanning requirement, the username
of the Service Account, and we can individually flag your Service Account as exempt.