Fast follow [shipped 2023-03-20]: Code scanning default setup can analyze the security-extended query suite (#35751)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites.md

@@ -0,0 +1,43 @@
+---
+title: Built-in CodeQL query suites
+shortTitle: Built-in CodeQL query suites
+intro: 'You can choose from different built-in {% data variables.product.prodname_codeql %} query suites to use in your {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} setup.'
+product: '{% data reusables.gated-features.code-scanning %}'
+versions:
+  feature: code-scanning-without-workflow
+type: reference
+topics:
+  - Code scanning
+  - CodeQL
+---
+
+## About {% data variables.product.prodname_codeql %} query suites
+
+With {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}, you can select a specific group of {% data variables.product.prodname_codeql %} queries, called a {% data variables.product.prodname_codeql %} query suite, to run against your code. The following built-in query suites are available through {% data variables.product.prodname_dotcom %}:
+
+- the `code-scanning` query suite.
+- the `security-extended` query suite.
+
+Currently, both the `code-scanning` query suite and the `security-extended` query suite are available for the default setup for {% data variables.product.prodname_code_scanning %}. For more information on the default setup, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)."
+
+To use a custom query suite, you must create an advanced setup for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}. For more information on advanced setups and creating a query suite, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)" and "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-query-suites)."
+
+## Built-in {% data variables.product.prodname_codeql %} query suites
+
+The built-in {% data variables.product.prodname_codeql %} query suites, `code-scanning` and `security-extended`, are created and maintained by {% data variables.product.prodname_dotcom %}. Both of these query suites are available for every {% data variables.product.prodname_codeql %}-supported language. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."
+
+### `code-scanning` query suite
+
+- The `code-scanning` query suite is the group of queries run by default in {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} on {% data variables.product.prodname_dotcom %}.
+- The queries in the `code-scanning` query suite are highly precise and return few false positive {% data variables.product.prodname_code_scanning %} results. Relative to the `security-extended` query suite, the `code-scanning` suite returns fewer low-confidence {% data variables.product.prodname_code_scanning %} results.
+- This query suite is available for use with the default setup for {% data variables.product.prodname_code_scanning %}.
+
+### `security-extended` query suite
+
+- The `security-extended` query suite consists of all the queries in the `code-scanning` query suite, plus additional queries with slightly lower precision and severity.
+- Relative to the `code-scanning` query suite, the `security-extended` suite may return a greater number of false positive {% data variables.product.prodname_code_scanning %} results.
+- This query suite is available for use with the default setup for {% data variables.product.prodname_code_scanning %}.
+
+## Further reading
+
+- "[AUTOTITLE](/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-query-suites)"

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository.md

@@ -74,12 +74,25 @@ Try default setup if you don't need to run extra queries, change the scan schedu
 1. In the "{% data variables.product.prodname_code_scanning_caps %}" section, select **Set up** {% octicon "triangle-down" aria-label="The downwards-facing triangle icon" %}, then click **Default**.
 
   ![Screenshot of the "{% data variables.product.prodname_code_scanning_caps %}" section of "Code security and analysis" settings. The "Default setup" button is highlighted with an orange outline.](/assets/images/help/security/default-code-scanning-setup.png)
-1. In the {% data variables.product.prodname_codeql %} default configuration window that is displayed, review the settings for your repository, then click **Enable {% data variables.product.prodname_codeql %}**.
+
+1. Optionally, in the "Query suites" section of the "{% data variables.product.prodname_codeql %} default configuration" modal dialog, select the **Default** {% octicon "triangle-down" aria-hidden="true" %} dropdown menu, then click the {% data variables.product.prodname_codeql %} query suite you would like to use.
+
+  ![Screenshot of the default setup modal for {% data variables.product.prodname_code_scanning %}. A button labeled "Default", with an arrow indicating a dropdown menu, is outlined in dark orange.](/assets/images/help/security/default-setup-query-suite-dropdown.png)
+
+  If you choose the **Extended** query suite, your {% data variables.product.prodname_code_scanning %} configuration will run lower severity and precision queries in addition to the queries included in the **Default** query suite.
+
+  {% note %}
+
+  **Note:** If you configure {% data variables.product.prodname_code_scanning %} to use the **Extended** query suite, you may experience a higher rate of false positive alerts.
+
+  {% endnote %}
+
+1. Review the settings for the default setup on your repository, then click **Enable {% data variables.product.prodname_codeql %}**.
 
   {% note %}
 
   **Notes:**
-     - The {% data variables.product.prodname_codeql %} default configuration window displays the details of the default setup, including the languages to analyze, the query suites to run, and the events that trigger a new scan. If you would like to change which query suites will run, what events will trigger a new scan, or other {% data variables.product.prodname_code_scanning %} features, you need to use the advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
+     - The {% data variables.product.prodname_codeql %} default configuration window displays the details of the default setup, including the languages to analyze, the query suites to run, and the events that trigger a new scan. If you would like to change which events will trigger a new scan or customize other {% data variables.product.prodname_code_scanning %} features, you need to use the advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
      - If you are switching to the default setup from the advanced setup, you will see a warning informing you that the default setup will override existing configurations. {% data variables.product.prodname_codeql %} default setup will disable the existing workflow file, and block any {% data variables.product.prodname_codeql %} analysis API uploads.
      - If you would like to see your default {% data variables.product.prodname_codeql %} setup after configuration, select {% octicon "kebab-horizontal" aria-label="The horizontal kebab icon" %}, then click {% octicon "gear" aria-label="The gear icon" %} **View {% data variables.product.prodname_codeql %} configuration**.
 

content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md

@@ -25,6 +25,7 @@ children:
   - /customizing-code-scanning
   - /about-code-scanning-with-codeql
   - /recommended-hardware-resources-for-running-codeql
+  - /built-in-codeql-query-suites
   - /configuring-the-codeql-workflow-for-compiled-languages
   - /configuring-code-scanning-at-scale
   - /troubleshooting-your-default-setup-for-codeql
@@ -32,4 +33,3 @@ children:
   - /running-codeql-code-scanning-in-a-container
   - /viewing-code-scanning-logs
 ---
-