Code Scanning Configuration Options
Code Scanning should be configured in a way that works for your repository, team, and Continuous Integration (CI) system. Choose the configuration option that best fits your needs:
- Default Code Scanning with CodeQL - Recommended for most repositories
- Advanced Code Scanning with CodeQL and GitHub Actions - For repositories requiring custom build configurations
- Advanced Code Scanning with CodeQL in Third-Party CI - For teams using external CI systems
Default Code Scanning with CodeQL
By default, Code Scanning is enabled for all repositories with supported languages.
The default Code Scanning configuration is compliant with VA requirements and works well for most repositories. We recommend using this default configuration unless you have specific needs that require customization.
Advanced Code Scanning with CodeQL and GitHub Actions
For repositories requiring more control over the scanning process, you can create a custom GitHub Actions workflow using actions from the github/codeql-actions
repository. This option provides maximum flexibility and allows you to:
- Install language-specific dependencies (e.g., Java, Go)
- Configure custom build commands
- Customize scanning parameters
- Integrate with other GitHub Actions workflows
Your repository might benefit from advanced code scanning if it:
- Uses any CodeQL-supported language
- Requires compilation (C, C++, C#, Go, Java, Kotlin, or Swift)
- Needs custom build commands or environment setup
- Has complex dependencies or build requirements
NOTE: If your team uses a third-party CI system, consider the Third-Party CI option instead.
For implementation details, see:
To get started:
- Ensure you have write access to the repository
- Create a new workflow file in
.github/workflows/
- Follow the official CodeQL documentation for setup instructions
NOTE: For builds requiring access to VA network resources, you must use self-hosted runners instead of GitHub-hosted runners.
Advanced Code Scanning with CodeQL in Third-Party CI
If your team uses a third-party CI system, you can integrate CodeQL scanning without disrupting your existing pipeline. Here’s how:
-
Install the CodeQL CLI on your CI system
-
Add these steps to your CI pipeline:
- Create a CodeQL database:
codeql database create
- Analyze the code:
codeql database analyze
- Upload results to GitHub:
codeql github upload-results
- Create a CodeQL database:
For detailed implementation instructions, follow the links above for each step.
Getting Help
Need assistance? The VA GitHub Support team is here to help:
- Open a Consultation: CodeQL Configuration issue
- Our team will review your request and provide guidance specific to your needs
For general questions about the VA’s Code Scanning policy, refer to our Code Scanning Policy documentation.