Requesting a Code Scanning Exemption
If you believe your repository should be exempt from the VA’s Code Scanning requirements, follow the process below to request an exemption.
How to Configure an Exemption
- Navigate to your repository’s “Settings” tab
- Select “Custom Properties” from the left navigation
- Click “Edit” in the top right corner
Choose the appropriate exemption reason from the list below:
Valid Exemption Scenarios
No Supported CodeQL Languages
If your repository doesn’t contain any supported CodeQL languages:
- Set
code_scanning_codeql_policy_exempt_reason
toNo supported CodeQL languages
- No additional properties are required
Default Branch Management
For repositories requiring frequent default branch changes (~100 times) as part of release processes:
- Set
repo-level-required-code-scanning
totrue
- This applies equivalent scanning rules at the repository level instead of using organization-wide rules
- Repository administrators retain the ability to change default branches
For infrequent default branch updates:
- Open a GitHub User Request
- The GitHub Admin team will make the change for you
Special Programs and Configurations
Select the appropriate exemption reason if your repository:
- Is part of the Lighthouse Secure Release Pipelines program
- Uses CodeQL Advanced Setup
- Has other approved special configurations
If none of the predefined reasons match your scenario:
- Set
code_scanning_codeql_policy_exempt_reason
toOther reason not listed
- The GitHub Admin team will follow up to validate your exemption
Exemption Oversight
The VA maintains strict oversight of Code Scanning exemptions:
- Monthly Reports
- All exemptions are reported to VA leadership
- Reports include repositories using repo-level configurations
- Audit logs are reviewed for potential policy bypasses
- Validation Process
- The GitHub Admin team regularly reviews all exemptions
- Invalid exemptions will be removed with notification to the team
- Teams can appeal removed exemptions through GitHub User Requests
Need Help?
If you’re unsure whether your exemption reason is valid:
- Open a ticket in GitHub User Requests
- The GitHub Admin team will provide guidance specific to your situation