Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Code Scanning Policy

What is the current Code Scanning policy?

The current Code Scanning policy is as follows:

  • All repositories with supported languages must be configured to use CodeQL on all pull requests
  • All repositories with supported languages must be configured to perform a CodeQL scan at least once every 7 days
  • All vulnerabilities identified of Critical severity must be remediated within 30 days of discovery
  • All vulnerabilities dismissed without remediation must be dismissed with a valid reason

How is the VA enforcing this policy?

The VA is enforcing this policy through a set of automated tools leveraging GitHub Pull Requests and GitHub Required Workflows. These tools are described below.

Required Pull Requests

The VA has configured a Required Pull Request for all repositories with supported languages. These rules are configured as at the organization level and not something your repository administrators can change

Required Workflows

At pull request time, GitHub will run automation that validates whether you are meeting the policy requirements by querying the GitHub API for information about your repository. This information will be shared back on your pull request as a pull request comment.

At this time the VA will not be enforcing any of the Required Workflows. However, we will be using this information to determine whether your repository is meeting the policy requirements. We will be using this time to evaluate the impact of enforcing these workflows and will be providing more information shortly.