GitHub Handbook
How do I request to exempt my repository from this requirement?
If your repository does not contain production code, or you have been instructed by OIS Software Assurance that your repository does not need to be included in this Code Scanning mandate, you may self-service exempt your repository from this mandate.
If you have a valid business justification for exempting your repository from the Code Scanning Requirements, you may do this by following the steps below:
- Navigate to your repo and select the “Settings” tab
- Select the “Custom Properties” section in the left-hand navigation
- Select “Edit” in the top right corner of the page
On this page there are two options, one to exempt yourself from the CodeQL policy and one to exempt yourself from the Required Pull Request policy.
Exempting yourself from the CodeQL policy
- To exempt yourself from the CodeQL policy, set the “code_scanning_codeql_policy_exempt” property to true.
- If you’ve set the property to true, you must also provide a brief justification in the “code_scanning_codeql_policy_exempt_reason” field.
Exempting yourself from the Required Pull Request policy
- To exempt yourself from the Required Pull Request policy, set the “required_pull_request_policy_exempt” property to true.
- If you’ve set the property to true, you must also provide a brief justification in the “required_pull_request_policy_exempt_reason” field.
Auditing Exemptions
All exemptions are reported out on a monthly basis to VA leadership, and as such, teams should consider their exemptions and justifications carefully. If you unsure of whether your exemption justification is valid or not, please open a ticket in GitHub User Requests
All exemptions will be audited to ensure that they are valid. If your exemption is found to be invalid, it will be removed and you will be notified.