Enable all at organization level for code scanning (#35472)

Co-authored-by: Kelly Arwine <kellyarwine@github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
2023-03-20 17:59:48 +00:00 · 2023-03-20 17:59:48 +00:00 · bb806046e2
--- a/assets/images/enterprise/3.3/organizations/security-and-analysis-disable-or-enable-all-ghas.png
+++ b/assets/images/enterprise/3.3/organizations/security-and-analysis-disable-or-enable-all-ghas.png
--- a/assets/images/enterprise/3.3/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png
+++ b/assets/images/enterprise/3.3/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png
--- a/assets/images/enterprise/orgs-and-teams/security-and-analysis-enable-or-disable-feature-checkbox.png
+++ b/assets/images/enterprise/orgs-and-teams/security-and-analysis-enable-or-disable-feature-checkbox.png
--- a/assets/images/help/organizations/dependabot-private-repo-choose.png
+++ b/assets/images/help/organizations/dependabot-private-repo-choose.png
--- a/assets/images/help/organizations/dependabot-private-repository-access.png
+++ b/assets/images/help/organizations/dependabot-private-repository-access.png
--- a/assets/images/help/organizations/dependabot-private-repository-list.png
+++ b/assets/images/help/organizations/dependabot-private-repository-list.png
--- a/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png
+++ b/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png
--- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale.md
+++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale.md
@ -0,0 +1,75 @@
+---
+title: Configuring code scanning at scale using CodeQL
+shortTitle: Configure CodeQL at scale
+intro: 'You can configure {% data variables.product.prodname_code_scanning %} for eligible repositories in your organization using default setup for {% data variables.product.prodname_codeql %} or use a script to configure advanced setup for a specific group of repositories.'
+product: '{% data reusables.gated-features.code-scanning %}'
+versions:
+  feature: org-enable-code-scanning
+type: how_to
+topics:
+  - Advanced Security
+  - Code scanning
+allowTitleToDifferFromFilename: true
+---
+
+## About configuring {% data variables.product.prodname_code_scanning %} in multiple repositories
+
+There are two ways to configure {% data variables.product.prodname_code_scanning %} in multiple repositories at the same time. The best method to use depends on the analysis needs of the repositories.
+
+1. The repositories are eligible for default setup for {% data variables.product.prodname_codeql %} and owned by an organization.
+2. The group of repositories has similar configuration needs for {% data variables.product.prodname_codeql %} advanced setup.
+
+In addition, {% data variables.product.prodname_actions %} must be enabled for the {% ifversion fpt %}organization{% elsif ghec or ghae %}organization or enterprise{% elsif ghes %}site{% endif %}.
+
+<!-- Anchor to maintain the UI link to this heading -->
+<a name="eligible-repositories-default-setup"></a>
+
+## Eligible repositories for {% data variables.product.prodname_codeql %} default setup
+
+{% data reusables.code-scanning.beta-org-enable-all %}
+
+You can use the organization settings page for "Code security and analysis" to enable {% data variables.product.prodname_code_scanning %} for any repositories in the organization that are eligible for {% data variables.product.prodname_codeql %} default setup. 
+
+### Eligibility criteria for organization-level enablement
+
+A repository must meet all the following criteria to be eligible for default setup, otherwise you need to use advanced set up.
+
+- {% data variables.product.prodname_code_scanning_caps %} is not already enabled.
+- {% data variables.product.prodname_actions %} are enabled.
+- Uses JavaScript/TypeScript, Python, or Ruby.
+- Does not use any other languages supported by {% data variables.product.prodname_codeql %}, but may include other languages, such as R. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."
+- {% ifversion fpt %}Publicly visible.
+   {%- elsif ghec %}Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.
+   {%- elsif ghes or ghae %}{% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %}
+
+For more information about default setup, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically)." For information on editing security and analysis settings for an organization, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."
+
+{% ifversion security-overview-org-risk-coverage %}
+
+### Finding repositories that are eligible for default setup
+
+The security coverage page, part of security overview, makes it easy to filter the repositories in your organization to show repositories that are eligible for default setup.
+
+{%- ifversion ghec %}
+- `code-scanning-default-setup:eligible is:public` shows repositories that have languages suitable for default setup and are eligible because they are visible to the public.
+- `code-scanning-default-setup:eligible advanced-security:enabled` shows private or internal repositories that have languages suitable for default setup and are eligible because they have {% data variables.product.prodname_GH_advanced_security %} enabled.
+- `code-scanning-default-setup:eligible is:private,internal advanced-security:not-enabled` shows private or internal repositories that have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
+{%- elsif ghes or ghae %}
+- `code-scanning-default-setup:eligible advanced-security:enabled` shows which repositories can be added to default setup immediately.
+- `code-scanning-default-setup:eligible advanced-security:not-enabled` shows which repositories have languages suitable for default setup but do not have {% data variables.product.prodname_GH_advanced_security %} enabled. Once you enable {% data variables.product.prodname_GH_advanced_security %} for these repositories, they can also be added to default setup.
+{%- endif %}
+- `code-scanning-default-setup:not-eligible` shows repositories that either have advanced setup configured already, or where the languages not are suitable for default setup.
+
+For more information about the security coverage page, see "[AUTOTITLE](/code-security/security-overview/about-the-security-overview#security-coverage-view)."
+
+{% endif %}
+
+## Using a script to configure advanced setup
+
+For repositories that are not eligible for default setup, you can use a bulk configuration script to configure advanced setup across multiple repositories. 
+
+1. Identify a group of repositories that can be analyzed using the same {% data variables.product.prodname_code_scanning %} configuration. For example, all repositories that build Java artifacts using the production environment.
+2. Create and test a {% data variables.product.prodname_actions %} workflow to call the {% data variables.product.prodname_codeql %} action with the appropriate configuration. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
+3. Use one of the example scripts create a custom script to add the workflow to each repository in the group.
+   - PowerShell example: [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository
+   - NodeJS example: [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) repository
--- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository.md
+++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository.md
@ -53,7 +53,9 @@ Enterprise owners, organization and repository administrators can add self-hoste

 ## Configuring {% data variables.product.prodname_code_scanning %} automatically

-The default setup for {% data variables.product.prodname_code_scanning %} will automatically configure {% data variables.product.prodname_code_scanning %} with the best settings for your repository. Your repository is eligible for default setup if it uses {% data variables.product.prodname_actions %} and contains only the following {% data variables.product.prodname_codeql %}-supported languages: JavaScript/TypeScript, Python, or Ruby. While you can use default setup if your repository includes languages that aren't supported by CodeQL, such as R, you must use the advanced setup if you include {% data variables.product.prodname_codeql %}-supported languages other than those previously listed. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."
+The default setup for {% data variables.product.prodname_code_scanning %} will automatically configure {% data variables.product.prodname_code_scanning %} with the best settings for your repository. Default setup uses {% data variables.product.prodname_actions %} to run {% data variables.product.prodname_codeql %} analysis without requiring you to commit a workflow file your repository.
+
+Your repository is eligible for default setup if it uses {% data variables.product.prodname_actions %} and contains only the following {% data variables.product.prodname_codeql %}-supported languages: JavaScript/TypeScript, Python, or Ruby. While you can use default setup if your repository includes languages that aren't supported by CodeQL, such as R, you must use the advanced setup if you include {% data variables.product.prodname_codeql %}-supported languages other than those previously listed. For more information on {% data variables.product.prodname_codeql %}-supported languages, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql)."{% ifversion org-enable-code-scanning %} For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale)."{% endif %}

 Enabling default setup is the quickest way to configure {% data variables.product.prodname_code_scanning %} for your repository. Additionally, default setup requires none of the maintenance necessary with a {% data variables.product.prodname_codeql %} workflow file. Before you enable default setup, you'll see the languages it will analyze, the query suites it will run, and the events that will trigger a new scan.

@ -171,10 +173,18 @@ The `on:pull_request` and `on:push` triggers for code scanning are each useful f

 {% endif %}

+{% ifversion org-enable-code-scanning %}
+
+For information on bulk enablement, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale)."
+
+{% else %}
+
 ## Bulk configuration of {% data variables.product.prodname_code_scanning %}

 You can configure {% data variables.product.prodname_code_scanning %} in many repositories at once using a script. If you'd like to use a script to raise pull requests that add a {% data variables.product.prodname_actions %} workflow to multiple repositories, see the [`jhutchings1/Create-ActionsPRs`](https://github.com/jhutchings1/Create-ActionsPRs) repository for an example using PowerShell, or [`nickliffen/ghas-enablement`](https://github.com/NickLiffen/ghas-enablement) for teams who do not have PowerShell and instead would like to use NodeJS.

+{% endif %}
+
 ## Viewing the logging output from {% data variables.product.prodname_code_scanning %}

 After configuring {% data variables.product.prodname_code_scanning %} for your repository, you can watch the output of the actions as they run.
--- a/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md
+++ b/content/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/index.md
@ -25,6 +25,7 @@ children:
  - /about-code-scanning-with-codeql
  - /recommended-hardware-resources-for-running-codeql
  - /configuring-the-codeql-workflow-for-compiled-languages
+  - /configuring-code-scanning-at-scale
  - /troubleshooting-your-default-setup-for-codeql
  - /troubleshooting-the-codeql-workflow
  - /running-codeql-code-scanning-in-a-container
--- a/content/code-security/getting-started/securing-your-organization.md
+++ b/content/code-security/getting-started/securing-your-organization.md
@ -106,20 +106,44 @@ You can enable or disable {% data variables.product.prodname_secret_scanning %}
 1. Click **Settings** next to your organization.
 1. Click **Code security & analysis**.
 1. Click **Enable all** or **Disable all** next to {% data variables.product.prodname_secret_scanning_caps %}.
-{% ifversion fpt %}
-1. Optionally, select **Automatically enable for new public repositories**.{% elsif ghec %}
-1. Optionally, select **Automatically enable for new public repositories and repositories with {% data variables.product.prodname_advanced_security %} enabled**.{% else %}
-1. Optionally, select **Automatically enable for private repositories added to {% data variables.product.prodname_advanced_security %}.**{% endif %}
+1. In the dialog box displayed, optionally
+{%- ifversion fpt %} select **Automatically enable for new public repositories**.
+{%- elsif ghec %} select **Automatically enable for new public repositories and repositories with {% data variables.product.prodname_advanced_security %} enabled**.
+{%- else %} select **Automatically enable for repositories added to {% data variables.product.prodname_advanced_security %}.**
+{%- endif %}
+1. Click the enable or disable button in the dialog box to confirm the change.

 For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)."

 ## Configuring {% data variables.product.prodname_code_scanning %}

-{% data variables.product.prodname_code_scanning_caps %} is an {% data variables.product.prodname_advanced_security %} feature that scans code for security vulnerabilities and errors.
-
 {% ifversion fpt or ghec %}{% data variables.product.prodname_code_scanning_caps %} is available for all public repositories. Organizations that use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_advanced_security %} can additionally use {% data variables.product.prodname_code_scanning %} for private and internal repositories.{% else %}{% data variables.product.prodname_code_scanning_caps %} is available if your enterprise uses {% data variables.product.prodname_advanced_security %}.{% endif %}

+{% ifversion org-enable-code-scanning %}
+
+You can enable or disable {% data variables.product.prodname_code_scanning %} default setup for all eligible repositories
+
+{%- ifversion fpt %} that are public across your organization.
+{%- elsif ghec %} that are public, and for all private and internal repositories
+{%- endif %}
+
+{%- ifversion ghec or ghes or ghae %} across your organization that have {% data variables.product.prodname_GH_advanced_security %} enabled.
+{%- endif %}
+{% data reusables.code-scanning.default-setup-info-link %}
+
+For repositories that are not eligible for default setup, you can configure advanced setup at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
+
+{% data reusables.code-scanning.beta-org-enable-all %}
+
+1. Click your profile photo, then click **Organizations**.
+1. Click **Settings** next to your organization.
+1. Click **Code security & analysis**.
+1. Click **Enable all** or **Disable all** next to {% data variables.product.prodname_code_scanning_caps %}.
+1. In the "Enable {% data variables.product.prodname_code_scanning %} for eligible repositories" or "Disable {% data variables.product.prodname_code_scanning %}" dialog box displayed, click **Enable for eligible repositories** or **Disable {% data variables.product.prodname_code_scanning %}** to confirm the change.
+
+{% else %}
 {% data variables.product.prodname_code_scanning_caps %} is configured at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository)."
+{% endif %}

 ## Next steps
 You can view and manage alerts from security features to address dependencies and vulnerabilities in your code. For more information, see {% ifversion fpt or ghes or ghec %} "[AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts),"{% endif %} {% ifversion fpt or ghec or ghes %}"[AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates)," {% endif %}"[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository)," and "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
--- a/content/code-security/security-overview/about-the-security-overview.md
+++ b/content/code-security/security-overview/about-the-security-overview.md
@ -78,7 +78,6 @@ This view shows data about the repositories affected by different types of secur

 ![Screenshot of the "Security Risk" view on the "Security" tab for an organization. Illustrates information and filter options available in the view.](/assets/images/help/security-overview/security-risk-interactive-header.png)

-
 ### Security Coverage view

 This view shows data about which security features are used by repositories in the organization. You can filter the view to show the repositories of interest using links, a dropdown menu, and a search field.
@ -92,6 +91,8 @@ In addition, you can click **{% octicon "gear" aria-hidden="true" %} Security se

 ![Screenshot of the "Security Coverage" view on the "Security" tab for an organization. Illustrates information and filter options available in view.](/assets/images/help/security-overview/security-coverage-view-single-repo-enablement.png)

+{% data reusables.code-scanning.beta-org-enable-all %}
+
 {% else %}

 ### Understanding the main security overview
--- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md
@ -19,7 +19,7 @@ shortTitle: Manage security & analysis

 ## About management of security and analysis settings

-{% data variables.product.prodname_dotcom %} can help secure the repositories in your organization. You can manage the security and analysis features for all existing or new repositories that members create in your organization. {% ifversion ghec %}If you have a license for {% data variables.product.prodname_GH_advanced_security %} then you can also manage access to these features. {% data reusables.advanced-security.more-info-ghas %}{% endif %}{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also manage access to these features. For more information, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization).{% endif %}
+{% data variables.product.prodname_dotcom %} can help you to secure the repositories in your organization. You can manage the security and analysis features for all existing or new repositories that members create in your organization. {% ifversion ghec %}If you have a license for {% data variables.product.prodname_GH_advanced_security %} then you can also manage access to these features. {% data reusables.advanced-security.more-info-ghas %}{% endif %}{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %} can also manage access to these features. For more information, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization).{% endif %}

 {% data reusables.security.some-security-and-analysis-features-are-enabled-by-default %}
 {% data reusables.security.security-and-analysis-features-enable-read-only %}
@ -51,6 +51,9 @@ You can enable or disable features for all repositories.
 - **{% data variables.product.prodname_GH_advanced_security %}** - Your changes affect only private repositories because {% data variables.product.prodname_GH_advanced_security %} and the related features are always enabled for public repositories.{% endif %}
 - **{% data variables.product.prodname_secret_scanning_caps %}** - Your changes affect {% ifversion fpt %}public repositories.{% endif %}{% ifversion ghec %}public repositories, and private or internal repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %} This option controls whether or not {% data variables.secret-scanning.user_alerts %} are enabled. {% data variables.secret-scanning.partner_alerts_caps %} always runs on all public repositories.

+{%- ifversion org-enable-code-scanning %}
+- **{% data variables.product.prodname_code_scanning_caps %}** - Your changes affect {% ifversion fpt %}public repositories{% elsif ghec %}public repositories, and private or internal repositories where {% data variables.product.prodname_GH_advanced_security %} is enabled{% elsif ghes or ghae %}repositories that are eligible for default setup using {% data variables.product.prodname_codeql %} where {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %} {% data reusables.code-scanning.default-setup-info-link %} For repositories that are not eligible for default setup, you can configure advanced setup at the repository level. For more information, see "[AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#creating-an-advanced-setup)."
+{%- endif %}

 {% endif %}

@ -73,44 +76,24 @@ You can enable or disable features for all repositories.

 {% endif %}

-1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
-2. Under "Code security and analysis", to the right of the feature, click **Disable all** or **Enable all**. {% ifversion ghes or ghec %}The control for "{% data variables.product.prodname_GH_advanced_security %}" is disabled if you have no available {% ifversion ghas-billing-UI-update %}licenses{% else %}seats{% endif %} for {% data variables.product.prodname_GH_advanced_security %}.{% endif %}
-   {% ifversion fpt %}
-   !["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/organizations/security-and-analysis-disable-or-enable-all-fpt.png)
-   {% endif %}
-   {% ifversion ghec %}
-   !["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/help/organizations/security-and-analysis-disable-or-enable-all-ghas-ghec.png)
-   {% endif %}
-   {% ifversion ghes %}
-   !["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/enterprise/3.3/organizations/security-and-analysis-disable-or-enable-all-ghas.png)
-   {% endif %}
-   {% ifversion ghae %}
-   !["Enable all" or "Disable all" button for "Configure security and analysis" features](/assets/images/enterprise/github-ae/organizations/security-and-analysis-disable-or-enable-all-ghae.png)
-   {% endif %}
-   {% ifversion fpt or ghec %}
-3. Optionally, enable the feature by default for new repositories in your organization.
-   {% ifversion fpt or ghec %}
-    !["Enable by default" option for new repositories](/assets/images/help/organizations/security-and-analysis-enable-by-default-in-modal.png)
-   {% endif %}
-   {% endif %}
-   {% ifversion fpt or ghec %}
-1. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories in your organization.
-   {% endif %}
-   {% ifversion ghae or ghes %}
-1. Click **Enable/Disable all** or **Enable/Disable for eligible repositories** to confirm the change.
-{% endif %}
+1. Go to the code security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
+2. Under "Code security and analysis", to the right of the feature, click **Disable all** or **Enable all** to display a confirmation dialog box. {% ifversion ghes or ghec %}The control for "{% data variables.product.prodname_GH_advanced_security %}" is disabled if you have no available {% ifversion ghas-billing-UI-update %}licenses{% else %}seats{% endif %} for {% data variables.product.prodname_GH_advanced_security %}.{% endif %}
+3. Review the information in the dialog box. If you are enabling a feature, optionally select **Enable by default for new {% ifversion fpt or ghec %}private {% endif %}repositories**.
+4. When you are ready to make the changes, click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories in your organization.
+
+{% data reusables.code-scanning.beta-org-enable-all %}

 {% data reusables.security.displayed-information %}

 ## Enabling or disabling a feature automatically when new repositories are added

 1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
-2. Under "Code security and analysis", to the right of the feature, enable or disable the feature by default for new repositories{% ifversion fpt or ghec %}, or all new private repositories,{% endif %} in your organization.
+2. Under "Code security and analysis", locate the feature and enable or disable it for all new repositories{% ifversion fpt or ghec %}, or all new private repositories,{% endif %} in your organization.
   {% ifversion fpt or ghec %}
-   ![Screenshot of a checkbox for enabling a feature for new repositories](/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png)
+   ![Screenshot of the "Dependency graph" section of the "Code security and analysis" settings page. The checkbox for enabling the feature for new repositories is outlined in dark orange.](/assets/images/help/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png)
   {% endif %}
  {% ifversion ghes %}
-   ![Screenshot of a checkbox for enabling a feature for new repositories](/assets/images/enterprise/3.3/organizations/security-and-analysis-enable-or-disable-feature-checkbox.png)
+   ![Screenshot of the "{% data variables.product.prodname_dependabot %} security updates" section of the "Code security and analysis" settings page. The checkbox for enabling the feature for new repositories is outlined in dark orange.](/assets/images/enterprise/orgs-and-teams/security-and-analysis-enable-or-disable-feature-checkbox.png)
   {% endif %}

 {% ifversion fpt or ghec or ghes %}
@ -126,14 +109,12 @@ If your code depends on packages in a private registry, you can allow {% data va
 To allow {% data variables.product.prodname_dependabot %} to access a private {% data variables.product.prodname_dotcom %} repository:

 1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."
-1. Under "{% data variables.product.prodname_dependabot %} private repository access", click **Add private repositories** or **Add internal and private repositories**.
-   ![Add repositories button](/assets/images/help/organizations/dependabot-private-repository-access.png)
-1. Start typing the name of the repository you want to allow.
-   ![Repository search field with filtered dropdown](/assets/images/help/organizations/dependabot-private-repo-choose.png)
-1. Click the repository you want to allow.
-
-1. Optionally, to remove a repository from the list, to the right of the repository, click {% octicon "x" aria-label="The X icon" %}.
-   !["X" button to remove a repository](/assets/images/help/organizations/dependabot-private-repository-list.png)
+1. Under "Grant {% data variables.product.prodname_dependabot %} access to private repositories", click **Add private repositories** or **Add internal and private repositories** to display a repository search field.
+   ![Screenshot of the "Grant {% data variables.product.prodname_dependabot %} access to private repositories" section. The "Add repositories" button is outlined in dark orange.](/assets/images/help/organizations/dependabot-private-repository-access.png)
+1. Start typing the name of the repository you want to grant {% data variables.product.prodname_dependabot %} access to.
+1. A list of matching repositories in the organization is displayed, click the repository you want to to allow access to and this adds the repository to the allowed list.
+1. Optionally, to remove a repository from the list, to the right of the repository, click {% octicon "x" aria-label="Remove REPOSITORY-NAME" %}.
+   ![Screenshot of the list of repositories {% data variables.product.prodname_dependabot %} has access to. The "Remove REPOSITORY-NAME" button, shown with an x icon, is outlined in dark orange.](/assets/images/help/organizations/dependabot-private-repository-list.png)
 {% endif %}

 {% ifversion ghes or ghec %}
--- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md
@ -472,7 +472,9 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett
 | `advanced_security_policy_selected_member_enabled` | Triggered when an enterprise owner allows {% data variables.product.prodname_GH_advanced_security %} features to be enabled for repositories owned by the organization. {% data reusables.advanced-security.more-information-about-enforcement-policy %}{% ifversion fpt or ghec %}
 | `audit_log_export` | Triggered when an organization admin [creates an export of the organization audit log](#exporting-the-audit-log). If the export included a query, the log will list the query used and the number of audit log entries matching that query.
 | `block_user` | Triggered when an organization owner [blocks a user from accessing the organization's repositories](/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization).
-| `cancel_invitation` | Triggered when an organization invitation has been revoked. {% endif %}{% ifversion fpt or ghes or ghec %}
+| `cancel_invitation` | Triggered when an organization invitation has been revoked. {% endif %}{% ifversion org-enable-code-scanning %}
+| `codeql_disabled` | Triggered when an organization owner or person with admin access to the organization disables {% data variables.product.prodname_code_scanning %} for repositories that use the default setup for {% data variables.product.prodname_codeql %}.
+| `codeql_enabled` | Triggered when an organization owner or person with admin access to the organization enables {% data variables.product.prodname_code_scanning %} for repositories that are eligible to use the default setup for {% data variables.product.prodname_codeql %}. {% endif %}{% ifversion fpt or ghes or ghec %}
 | `create_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is created for an organization. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-organization)."{% endif %} {% ifversion fpt or ghec %}
 | `disable_oauth_app_restrictions` | Triggered when an owner [disables {% data variables.product.prodname_oauth_app %} access restrictions](/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization) for your organization.{% ifversion ghec %}
 | `disable_saml` | Triggered when an organization admin disables SAML single sign-on for an organization.{% endif %}{% endif %}{% ifversion display-ip-org-audit-log %}
--- a/data/features/org-enable-code-scanning.yml
+++ b/data/features/org-enable-code-scanning.yml
@ -0,0 +1,7 @@
+# Issue 9210
+# Users can enable default setup for code scanning for all eligible repositories in an organization
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.8'
+  ghae: '>3.8'
--- a/data/reusables/code-scanning/beta-org-enable-all.md
+++ b/data/reusables/code-scanning/beta-org-enable-all.md
@ -0,0 +1,9 @@
+{% ifversion org-enable-code-scanning %}
+
+{% note %}
+
+**Note:** The ability to enable and disable default set up for {% data variables.product.prodname_code_scanning %} for eligible repositories in an organization is currently in beta and subject to change. During the beta release, if you disable {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} for all repositories this change will not be reflected in the coverage information shown in security overview for the organization. The repositories will still appear to have {% data variables.product.prodname_code_scanning %} enabled in this view.
+
+{% endnote %}
+
+{% endif %}
--- a/data/reusables/code-scanning/default-setup-info-link.md
+++ b/data/reusables/code-scanning/default-setup-info-link.md
@ -0,0 +1 @@
+For information about eligible repositories, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale#eligible-repositories-default-setup).
--- a/data/reusables/organizations/security-and-analysis.md
+++ b/data/reusables/organizations/security-and-analysis.md
@ -1,5 +1,5 @@
 {% ifversion fpt or ghec or ghes > 3.4 or ghae > 3.4 %}
-1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-label="The codescan icon" %} Code security and analysis**.
+1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security and analysis**.
 {% else %}
 1. In the left sidebar, click **Security & analysis**.
  !["Security & analysis" tab in organization settings](/assets/images/help/organizations/org-settings-security-and-analysis.png)
				`@ -0,0 +1 @@`
				`For information about eligible repositories, see [AUTOTITLE](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale#eligible-repositories-default-setup).`