GitHub is introducing a new way for developers to automatically set up code scanning on their repositories, without the use of a .yaml file. This will go a long way to build upon the already existing premise of secret scanning and Dependabot, thus enhancing the user experience and promoting enablement.
The new capability, default setup offers a new way that helps developers automatically enable code scanning on their repositories. According to GitHub’s blog post:
Default setup simplifies getting started with code scanning on Python, JavaScript, and Ruby repositories. You can now enable code scanning in just a few clicks and without using a .yaml file, helping open source developers and enterprises streamline code scanning setup so they can secure more of their software. Once enabled, you’ll immediately start getting insights from code scanning in your code to help you find and fix vulnerabilities quickly without disrupting your workflow.
To access this feature, head to the Settings tab, then select the Code security and analysis option where you will now find the new code scanning setup toolbox. Here you’ll need to click on Set up and then select the Default option to activate it.
From this point, the user will get a tailored configuration summary based on the contents of the repository automatically. This will include query packs used as well as events that trigger scans. GitHub has further indicated that the user will be able to customize these options in the future.
Then after reviewing the configuration, you can now click on the Enable CodeQL button which will prompt code scanning on the repository automatically. That said, GitHub has highlighted that is currently working towards making the experience available across all languages supported by the CodeQL analysis engine.
In related news, GitHub released an AI-powered Copilot for Business at $19 per month last year in December. Let us know what you think in the comment section.