Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Configuring CodeQL

Code Scanning Configuration Options

Code Scanning should be configured in a way that works for your repository, team, and Continuous Integration (CI) system. Choose the configuration option that best fits your needs:

Default Code Scanning with CodeQL

By default, Code Scanning is enabled for all repositories with supported languages.

The default Code Scanning configuration is compliant with VA requirements and works well for most repositories. We recommend using this default configuration unless you have specific needs that require customization.

Advanced Code Scanning with CodeQL and GitHub Actions

For repositories requiring more control over the scanning process, you can create a custom GitHub Actions workflow using actions from the github/codeql-actions repository. This option provides maximum flexibility and allows you to:

  • Install language-specific dependencies (e.g., Java, Go)
  • Configure custom build commands
  • Customize scanning parameters
  • Integrate with other GitHub Actions workflows

Your repository might benefit from advanced code scanning if it:

  • Uses any CodeQL-supported language
  • Requires compilation (C, C++, C#, Go, Java, Kotlin, or Swift)
  • Needs custom build commands or environment setup
  • Has complex dependencies or build requirements

NOTE: If your team uses a third-party CI system, consider the Third-Party CI option instead.

For implementation details, see:

To get started:

  1. Ensure you have write access to the repository
  2. Create a new workflow file in .github/workflows/
  3. Follow the official CodeQL documentation for setup instructions

NOTE: For builds requiring access to VA network resources, you must use self-hosted runners instead of GitHub-hosted runners.

Advanced Code Scanning with CodeQL in Third-Party CI

If your team uses a third-party CI system, you can integrate CodeQL scanning without disrupting your existing pipeline. Here’s how:

  1. Install the CodeQL CLI on your CI system

  2. Add these steps to your CI pipeline:

    • Create a CodeQL database: codeql database create
    • Analyze the code: codeql database analyze
    • Upload results to GitHub: codeql github upload-results

For detailed implementation instructions, follow the links above for each step.

Getting Help

Need assistance? The VA GitHub Support team is here to help:

  1. Open a Consultation: CodeQL Configuration issue
  2. Our team will review your request and provide guidance specific to your needs

For general questions about the VA’s Code Scanning policy, refer to our Code Scanning Policy documentation.