Note
GitHub autofix for code scanning is in beta. Functionality and documentation are subject to change. During this phase, the feature is restricted to alerts identified by CodeQL for private and internal repositories. If you have an enterprise account and use GitHub Advanced Security, your enterprise has access to the beta.
About disabling autofix for code scanning
Code scanning autofix is a GitHub Copilot-powered is an expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts so they can avoid introducing new security vulnerabilities. To learn more about autofix for code scanning, see "About autofix for CodeQL code scanning."
Code scanning autofix is allowed by default in an enterprise and enabled for every repository that uses CodeQL, regardless of whether it uses default or advanced setup for code scanning. Administrators at the enterprise, organization and repository levels can choose to opt-out and disable autofix.
Note that disabling autofix at any level will close all open autofix comments. If autofix is disabled and then subsequently enabled, autofix won't automatically suggest fixes for any pull requests that are already open. The suggestions will only be generated for any pull requests that are opened after autofix is enabled, or after re-running CodeQL analysis on existing pull requests.
Blocking use of autofix for an enterprise
Enterprise administrators can disallow autofix for their enterprise. If you disallow autofix for an enterprise, autofix cannot be enabled for any organizations or repositories within the enterprise.
Note that allowing autofix for an enterprise does not enforce enablement of autofix, but means that organization and repository administrators will have the option to enable or disable autofix.
Disallowing autofix at the enterprise level will remove all open autofix comments across all repositories of all organizations within the enterprise.
-
In the top-right corner of GitHub, click your profile photo, then click Your enterprises.
-
In the list of enterprises, click the enterprise you want to view.
-
On the left side of the page, in the enterprise account sidebar, click Policies.
-
Under "Policies", click Code security and analysis.
-
Under "Autofix for CodeQL code scanning", use the dropdown menu to choose "Not allowed."
Disabling autofix for an organization
If autofix is allowed at the enterprise level, organization administrators have the option to disable autofix for an organization. If you disable autofix for an organization, autofix cannot be enabled for any repositories within the organization.
Note that disabling autofix at the organization level will remove all open autofix comments across all repositories in the organization.
- In the upper-right corner of GitHub, select your profile photo, then click Your organizations.
- Next to the organization, click Settings.
- In the "Security" section of the sidebar, click Code security then Global settings.
- Under the "Code scanning" section, deselect Autofix for CodeQL.
For more information about configuring global code scanning settings, see "Configuring global security settings for your organization."
Disabling autofix for a repository
If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments across the repository.
-
On GitHub.com, navigate to the main page of the repository.
-
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, click Code security and analysis.
-
In the "Code scanning" section, deselect Autofix for CodeQL.
