Editing your configuration of default setup

You can edit your existing configuration of default setup for code scanning to better meet your needs.

누가 이 기능을 사용할 수 있나요?

관리자 역할이 있는 조직 소유자, 보안 관리자 및 조직 구성원

이 기사에서

After running an initial analysis of your code with default setup, you can make changes to your configuration to better meet your needs. See 코드 검색을 위한 설정 유형 정보 and code scanning에 대한 저장소 속성.

Customizing your existing configuration of default setup

  1. GitHub에서 리포지토리의 기본 페이지로 이동합니다.

  2. 리포지토리 이름 아래에서 Settings를 클릭합니다. "설정" 탭이 표시되지 않으면 드롭다운 메뉴를 선택한 다음 설정을 클릭합니다.

    탭을 보여 주는 리포지토리 헤더의 스크린샷. "설정" 탭이 진한 주황색 윤곽선으로 강조 표시됩니다.

  3. 사이드바의 "Security" 섹션에서 Advanced Security 를 클릭합니다.

  4. In the "CodeQL analysis" row of the "Code Security" section, select , then click View CodeQL configuration.

  5. In the "CodeQL default configuration" window, click Edit.

  6. Optionally, in the "Languages" section, select or deselect languages for analysis.

  7. Optionally, in the "Query suite" row of the "Scan settings" section, select a different query suite to run against your code.

  8. Optionally, to use labeled runners, in the "Runner type" section of the "CodeQL default configuration" modal dialog, select Standard GitHub runner to open a dropdown menu, then select Labeled runner. Then, next to "Runner label," enter the label of an existing self-hosted or GitHub-hosted runner. For more information, see Configuring default setup for code scanning.

  9. (공개 프리뷰) Optionally, in the "Threat model" row of the "Scan settings" section, select Remote and local sources. This option is only available for repositories with code in a supported language: Java/Kotlin 및 C#.

  10. To update your configuration, as well as run an initial analysis of your code with the new configuration, click Save changes. All future analyses will use your new configuration.

Defining the alert severities that cause a check failure for a pull request

You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:

  • 필수 도구는 규칙 집합에 정의된 심각도 수준에 따라 code scanning 경고를 식별합니다.
  • 필수 도구의 분석은 아직 진행 중입니다.
  • 리포지토리에 필요한 도구가 구성되지 않았습니다.

For more information, see Set code scanning merge protection. For more general information about rulesets, see 규칙 세트에 대한 정보.

Including local sources of tainted data in default setup

참고

위협 모델은 현재 공개 미리 보기 버전이며 변경될 수 있습니다. 공개 미리 보기 동안, 위협 모델을 Java/Kotlin 및 C#용으로만 지원합니다.

If your codebase only considers remote network requests to be potential sources of tainted data, then we recommend using the default threat model. If your codebase considers sources other than network requests to potentially contain tainted data, then you can use threat models to add these additional sources to your CodeQL analysis. During the 공개 미리 보기, you can add local sources (for example: command-line arguments, environment variables, file systems, and databases) that your codebase may consider to be additional sources of tainted data.

You can edit the threat model used in a default setup configuration. For more information, see Customizing your existing configuration of default setup.

Extending CodeQL coverage with CodeQL model packs in default setup

참고

CodeQL 모델 팩은 현재 공개 미리 보기 상태이며 변경될 수 있습니다. 모델 팩은 C/C++, C#, Java/Kotlin, Python, Ruby 및 Rust 분석을 위해 지원됩니다.

CodeQL에 대한 CodeQL 확장의 Visual Studio Code 모델 편집기에서 C#, Java/Kotlin, Python 및 Ruby에 대한 모델링 종속성을 지원합니다.

If your enterprise is hosted on GitHub.com and you use frameworks and libraries that are not recognized by the standard libraries included with CodeQL, you can model your dependencies and extend code scanning analysis. For more information, see Supported languages and frameworks in the documentation for CodeQL.

For default setup, you need to define the models of your additional dependencies in CodeQL model packs. You can extend coverage in default setup with CodeQL model packs for individual repositories, or at scale for all repositories in an organization.

For more information about CodeQL model packs and writing your own, see Using the CodeQL model editor.

Extending coverage for a repository

  1. In the .github/codeql/extensions directory of the repository, copy the model pack directory which should include a codeql-pack.yml file and any .yml files containing additional models for the libraries or frameworks you wish to include in your analysis.
  2. The model packs will be automatically detected and used in your code scanning analysis.
  3. If you later change your configuration to use advanced setup, any model packs in the .github/codeql/extensions directory will still be recognized and used.

Extending coverage for all repositories in an organization

참고

If you extend coverage with CodeQL model packs for all repositories in an organization, the model packs that you specify must be published to the GitHub Container registry and be accessible to the repositories that run code scanning. For more information, see 컨테이너 레지스트리 작업.

  1. GitHub의 오른쪽 위 모서리에서 프로필 사진을 클릭한 다음, Your organizations를 클릭합니다.

  2. 조직 이름에서 설정을 클릭합니다. "설정" 탭이 표시되지 않으면 드롭다운 메뉴를 선택한 다음 설정을 클릭합니다.

    조직 프로필에 있는 여러 탭의 스크린샷. "설정" 탭이 진한 주황색으로 표시됩니다.

  3. 사이드바의 "Security" 섹션에서 Advanced Security 를 클릭한 다음, Global settings를 클릭합니다.

  4. Find the "Code scanning" section.

  5. Next to "Expand CodeQL analysis," click Configure.

  6. Enter references to the published model packs you want to use, one per line, then click Save.

    Screenshot of the "Expand CodeQL analysis" view" in the settings for an organization.

  7. The model packs will be automatically detected and used when code scanning runs on any repository in the organization with default setup enabled.

Further customization

If you need to change any other aspects of your code scanning configuration, consider configuring advanced setup. See 코드 검사에 대한 고급 설정 구성.