Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Requesting Code Scanning Exemption

Requesting a Code Scanning Exemption

If you believe your repository should be exempt from the VA’s Code Scanning requirements, follow the process below to request an exemption.

How to Configure an Exemption

  1. Navigate to your repository’s “Settings” tab
  2. Select “Custom Properties” from the left navigation
  3. Click “Edit” in the top right corner

Choose the appropriate exemption reason from the list below:

Valid Exemption Scenarios

No Supported CodeQL Languages

If your repository doesn’t contain any supported CodeQL languages:

  1. Set code_scanning_codeql_policy_exempt_reason to No supported CodeQL languages
  2. No additional properties are required

Default Branch Management

For repositories requiring frequent default branch changes (~100 times) as part of release processes:

  1. Set repo-level-required-code-scanning to true
  2. This applies equivalent scanning rules at the repository level instead of using organization-wide rules
  3. Repository administrators retain the ability to change default branches

For infrequent default branch updates:

Special Programs and Configurations

Select the appropriate exemption reason if your repository:

  • Is part of the Lighthouse Secure Release Pipelines program
  • Uses CodeQL Advanced Setup
  • Has other approved special configurations

If none of the predefined reasons match your scenario:

  1. Set code_scanning_codeql_policy_exempt_reason to Other reason not listed
  2. The GitHub Admin team will follow up to validate your exemption

Exemption Oversight

The VA maintains strict oversight of Code Scanning exemptions:

  1. Monthly Reports
    • All exemptions are reported to VA leadership
    • Reports include repositories using repo-level configurations
    • Audit logs are reviewed for potential policy bypasses
  2. Validation Process
    • The GitHub Admin team regularly reviews all exemptions
    • Invalid exemptions will be removed with notification to the team
    • Teams can appeal removed exemptions through GitHub User Requests

Need Help?

If you’re unsure whether your exemption reason is valid:

  1. Open a ticket in GitHub User Requests
  2. The GitHub Admin team will provide guidance specific to your situation