We set up Code Scanning with CodeQL using the default method. Now, let's try using the advanced setup!
This extra credit lab covers parts of the following exam domains:
- Domain 4: Configure and use code scanning
- Domain 5: Use code scanning with CodeQL
- Domain 6: Describe GitHub Advanced Security best practices
Why might you want to use the advanced setup? Here are some reasons:
- More control over triggers and schedule
- When pulling in packages from a private feed, you may have to provide instructions on authorizing to the NuGet, NPM, Maven, etc. feed.
- For compiled languages, providing more instructions on how to build the code
- Ability to customize the CodeQL configuration (such as query suites used)
- Manage code scanning settings "as code"
- Utilize 3rd party code scanning tooling
Your assignment here is to switch to the advanced setup. You can start under the Settings --> Code Security and Analysis page.
Your goal is to have a CodeQL workflow committed that successfully scans your code. Pay attention to some of the configuration options for the CodeQL scanning action. Refer to the documentation for more details.
In this lab, you have learned how to set up and configure advanced code scanning. There is no definitive answer as to whether the default or advanced setup is better. The default setup is ideal for quickly configuring CodeQL on repositories without requiring code changes or PR approvals. However, the advanced setup offers more customization and flexibility.
➡️ Head back to the labs page.