Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Required Status Checks

What are required status checks?

Required status checks are automated checks that must pass before a pull request can be merged. Required status checks are used to enforce security policies.

Note: If your repository is using GitHub Actions for performing CodeQL scans, you do not need to do any additional configuration as an organization ruleset will be applied to your repository automatically requiring CodeQL scans of your pull requests.

At this time these checks these status checks are only informational and will not prevent code from being merged into a protected branch.

What if I am using Jenkins for CodeQL scans?

If your repository is using Jenkins for performing CodeQL scans, you will need to configure required status checks for your repository to verify that CodeQL scans are being performed on your pull requests.

How do I configure required status checks?

Once you have configured CodeQL to run on Jenkins and your first pull request has triggered your CodeQL scan on Jenkins, you may configure required status checks for your repository.

To configure required status checks, an admin of the repository may navigate to the “Settings > Rules > Rulesets” tab in your repository. To create the ruleset, click the “New ruleset” button and select “New branch ruleset” from the dropdown.

Configure the following options on the “New branch ruleset” page:

  • Ruleset name: Required CodeQL Scans
  • Enforcement status: Evaluate
  • Bypass list: Repository admins
  • Target branches: Select your repositories deployable production branch
  • Branch protections:
    • Require status checks to pass before merging
    • Select the name of the job that runs your CodeQL scans

Once you have configured the ruleset, click the “Create” button to save your changes.

While your ruleset is in evaluation mode, if your CodeQL scan fails, this failure will be reported in the UI, but you will still be able to merge your pull request. At a later date, the VA will automatically enable enforcement of this policy, which will prevent pull requests from being merged if the CodeQL scan fails.

You may read additional information about configuring rulesets to Require status checks to pass before merging in the Create a ruleset GitHub documentation.