codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Enable scans and notifications by default

Open mcandre opened this issue 1 year ago • 2 comments

Please enable CodeQL SAST scans and notifications by default on all GitHub repositories, like Dependabot. There are millions of projects with vulnerabilities that the owners and downstream users are unaware of. Let's try harder to keep the Internet safe.

mcandre avatar Apr 26 '24 22:04 mcandre

Hi Andrew,

Thank you for your question. It is indeed a request we often get, and something we're definitely interested in long-term, but don't have any immediate plans for. The main reason is that we want developers to have the best experience possible, and there are several things we're actively addressing that can potentially enable an opt-out configuration in the future, but we're not quite there yet. Some of those include: setup (and build configuration where needed), alert level configuration (Default vs. Extended), and performance (both in terms of waiting time at the PR and investment in Actions for GitHub).

Should we decide to implement this at some point in the future, there will be a corresponding item on our public roadmap some time before it is implemented.

turbo avatar May 03 '24 10:05 turbo

Hi @mcandre,

Thanks again for your suggestion. I believe @turbo has provided an answer to your question, so I will proceed by closing this issue.

If you have any follow-up questions, feel free to re-open this issue.

Thanks!

rvermeulen avatar Oct 15 '24 20:10 rvermeulen