title: Default setup for code scanning overrides advanced setup
shortTitle: Unexpected default setup
intro: >-
You apply a {% data variables.product.prodname_security_configuration %} with
"Enabled with advanced setup allowed" and the existing advanced setup for {%
data variables.product.prodname_code_scanning %} is ignored in some
repositories.
permissions: '{% data reusables.permissions.security-org-enable %}'
versions:
feature: security-configurations
topics:
- Code Security
- Organizations
- Security
About the problem
When you apply a {% data variables.product.prodname_security_configuration %} and {% data variables.product.prodname_code_scanning %} is defined as "Enabled with advanced setup allowed", each repository is checked to see if there is an existing, active, advanced setup.
- No change to {% data variables.product.prodname_code_scanning %} if an active advanced setup configuration is detected.
- Default setup is enabled for repositories where advanced setup is inactive or absent.
Inactive or absent advanced setup
{% data reusables.code-scanning.inactive-advanced-setup %}
Solving the problem
This solution has two parts:
Any repositories where default setup for {% data variables.product.prodname_code_scanning %} was unexpectedly applied need to run {% data variables.product.prodname_codeql %} analysis at intervals of less than 90 days, for example, once a month.
Even if the repository is not under active development, new vulnerabilities may be identified by updates to {% data variables.product.prodname_codeql %} analysis.
Once the affected repositories all have {% data variables.product.prodname_codeql %} analysis running, you can reapply the {% data variables.product.prodname_security_configuration %}.