GitHub Code Quality in public preview #177488

ebndev · 2025-10-21T21:03:56Z

ebndev
Oct 21, 2025
Maintainer

GitHub Code Quality is now available in public preview! It turns every pull request into an opportunity to improve. With in-context findings, one-click Copilot fixes, and reliability and maintainability scores, you spend less time chasing nits and more time building. It’s there when you need it most, surfacing quality issues both in the pull request and the backlog so you can fix technical debt on your schedule.

Who this is for

Developers and engineering teams who want in‑context feedback about the quality of their code and an easier way to turn technical debt into reviewable fixes.

Highlights

One-click enablement: Try GitHub Code Quality quickly and easily.
Actionable findings: CodeQL-based quality rules detect maintainability and reliability issues in Java, C#, Python, JavaScript, Go, and Ruby.
Reviews in context: See quality findings directly in the pull request with guidance you can immediately act on.
Track progress with quality scores: Quality repository view groups findings by rule so you can prioritize fixes, while reliability and maintainability scores summarize their severity to help you target improvements.

How to try it

If your organization has preview features enabled, go to Settings > Code quality in your repository and enable the feature.
Open a pull request in a supported language and review any inline findings and autofix suggestions.
If you don’t have access yet, ask an organization admin to enable the preview flag for your organization. See more in our documentation on enabling Code Quality.

Coming soon

Organization-level dashboards and enablement to manage code quality at scale.
Test coverage metrics to provide actionable quality data.
APIs to programmatically fetch code quality data or enable it at scale.
Copilot-powered quality recommendations for pull requests to supplement static analysis findings.

Availability and pricing

GitHub Code Quality is available today for GitHub Enterprise Cloud and Team, but not available on Enterprise Server. It's free during the preview period, however scans will incur Actions minutes.

Learn more

Check out our GitHub Code Quality documentation

🌟Leave a comment!

Join the discussion and leave feedback in the comments below!

Disclaimer: The UI for features in public preview is subject to change.

stasostrovskyi · 2025-10-28T18:11:36Z

stasostrovskyi
Oct 28, 2025

This is an amazing feature! Especially great to see a blend of AI scan and CodeQL. I have couple of questions:

Is it the same logic under the hood that is used for new copilot review and this feature?
Is it possible (or is it considered on the roadmap) to customize codeql workflow used by code quality? Our use case would require running on self-hosted agents (which is already available) and have access to the dependency cache so that workflow wouldn't spend a lot of time on downloading dependencies but rather go straight to the analysis?

13 replies

carogalvin Jan 8, 2026

@EelcoLos unfortunately we don't have a specific plan for that at this time :(

EelcoLos Jan 28, 2026

@carogalvin is there going to then be at least adherence to the 'dynamics' part of the CodeQL - Code Quality / Analyze (csharp) (dynamic) dynamic part?. I have PR's that update a package.json and there's a 8 min c# analysis because the monorepo has c#. And if not, not account for github action minutes as it's uncontrollable on my end, except for entirely disabling it?

BOLT04 Feb 6, 2026

@EelcoLos thank you! We are not currently planning on replicating the advanced workflow in Code Quality, but will consider incorporating similar configuration options via the UI.

hi @EelcoLos , do you know by any chance what configuration options we'll have in the UI? For me, the most important is the trigger, I don't want this workflow on every single commit and I want it to be able to not run if the unit tests workflow is still running. It spends github actions minutes, so any configuration to optimize this would be great!

If you can provide any feedback I appreciate it, thanks 🙂

carogalvin Feb 6, 2026

Hi @BOLT04 , we don't have specific items on our roadmap right now for which configuration options we will be adding. Thank you for feedback/request!

carogalvin Feb 6, 2026

@EelcoLos

@carogalvin is there going to then be at least adherence to the 'dynamics' part of the CodeQL - Code Quality / Analyze (csharp) (dynamic) dynamic part?. I have PR's that update a package.json and there's a 8 min c# analysis because the monorepo has c#. And if not, not account for github action minutes as it's uncontrollable on my end, except for entirely disabling it?

If you're having trouble with your CodeQL scans, I recommend discussing in the CodeQL open source repo: https://github.com/github/codeql

marwin1991 · 2025-10-28T22:12:00Z

marwin1991
Oct 28, 2025

Also, we just turned on GitHub Code Quality for our open source organisation!

Check it out here: github.com/logchange

Thanks to the GitHub team for creating this feature — it’s already making our reviews smoother! 🚀

0 replies

eai04191 · 2025-10-29T02:15:26Z

eai04191
Oct 29, 2025

In my repository, I encountered an error and was unable to enable the Code quality feature while the "Require actions to be pinned to a full-length commit SHA" setting was enabled in Actions permissions.

As soon as I disabled this full-length SHA requirement, I was able to enable the feature immediately.

Are these two compatible?

4 replies

garrettld Oct 29, 2025

I ran into this same problem. Even if actions/* and github/codeql-action/* are allowed, this error still appears until you uncheck the "Require actions to be pinned to a full-length commit SHA"

Unchecking the checkbox allows you to enable Code Quality on a repo, and once that's done code quality scans appear to work fine even once you re-check the checkbox.

carogalvin Oct 29, 2025

👋 Hey, I'm the PM who owns this feature at GitHub!

We are working right now on being able to enable this feature even with those particular actions policies; this should be available by the end of November.

jsoref Dec 15, 2025

@carogalvin did this happen? (We're in december)

carogalvin Dec 15, 2025

@jsoref yes! https://github.blog/changelog/2025-11-25-code-scanning-default-setup-bypasses-github-actions-policy-blocks/

sstrullmyer · 2025-10-29T13:24:44Z

sstrullmyer
Oct 29, 2025

Great to see this come to public preview!

Do you anticipate enabling additional quality checkers to provide results to GitHub Code Quality, similar to how GHAS supports uploading SARIF files from tools which are capable of exporting data in that format?

For example, our developers already use popular tools for their respective ecosystems (e.g., ruff for Python) locally and in their pipelines, and being able to understand these code quality findings at scale through GitHub Code Quality would be incredibly helpful

2 replies

carogalvin Nov 3, 2025

@sstrullmyer thanks for your feedback! We don't have 3rd party extensibility on our roadmap at the moment, but I've made note of your feedback.

anviren Feb 5, 2026

A common workaround is a single consolidated PR gate fed by external analyzers. We’re doing this for architecture drift (PR-delta, low noise). Free GitHub app: https://github.com/apps/revieko-architecture-drift-radar

mbenson-smartx · 2025-10-29T13:29:44Z

mbenson-smartx
Oct 29, 2025

This is great and looks like its finding some real issues. It really needs to run on PR and allow the repo to gate based on level (i.e. Warning Error)

4 replies

sstrullmyer Oct 29, 2025

Is this what you have in mind: https://docs.github.com/en/code-security/code-quality/how-tos/set-pr-thresholds#adding-or-updating-a-ruleset-to-include-code-quality

mbenson-smartx Oct 29, 2025

Maybe. I am trying to prevent code getting into main but the code quality appears to only run on main. I want the developer to know as early in the cycle as possible that they need to repair it. I see that a code quality check ran on a PR but I don't see any results.

carogalvin Oct 29, 2025

Thanks for the feedback! Yes, right now code quality will only run on the default branch and on PRs to the default branch. We're looking to expand branch coverage in the future!

mbenson-smartx Oct 30, 2025

Thanks for the feedback! Yes, right now code quality will only run on the default branch and on PRs to the default branch. We're looking to expand branch coverage in the future!

Thanks for the update! Loving it so far.

ica-ft · 2025-10-29T14:26:23Z

ica-ft
Oct 29, 2025

Is there some way to get the Code Quality info via the Github API's?

3 replies

carogalvin Oct 29, 2025

👋 Hi @ica-ft , I'm the PM who worked on this feature! We do not have APIs available yet but will be working on those soon; what sort of information will you want to pull from the APIs?

ica-ft Oct 29, 2025

Hey @carogalvin, and thanks for getting back so quickly.

Thinking from a platform perspective, maybe one endpoint for a list of issues found, and an endpoint that gives the total nr of issues. Both endpoints filterable on Severity, Category and language. It would also be nice if the API's could carry a link to the filtered list on Github so you can jump over to more actions on GH.

carogalvin Nov 3, 2025

@ica-ft thanks for your feedback!

zeenix · 2025-10-30T10:05:18Z

zeenix
Oct 30, 2025

Java, C#, Python, JavaScript, Go, and Ruby.

Did you forget to mention Rust or is that somehow not supported despite being the most loved language for several years in a row (according to stackoverflow)? 🤔

1 reply

carogalvin Nov 3, 2025

Hi @zeenix , we don't currently support Rust but are hoping to in the future.

HoangHades · 2025-11-05T07:56:37Z

HoangHades
Nov 5, 2025

I tried to set code quality thresholds for pull requests
However, the merging is blocked with the message Code quality results are pending even if CodeQL passed

16 replies

HoangHades Nov 27, 2025

@cannist
We still got the trouble....

cannist Nov 28, 2025

Hmm, ok. And this persists and does not resolve itself a bit later, @HoangHades? Even if you reload the page? After the workflow has finished we still need to process the uploaded results which could add a bit of delay but should not take too long.
Would you be comfortable sharing a link to the PR? We might have to dig a bit into the logs to find out what is happening here.

HoangHades Dec 3, 2025

@cannist

You can investigate in [this PR]

cannist Dec 3, 2025

Thank you, @HoangHades. I was able to figure out what is happening here. The PR you linked is not a PR against your default branch (even though the branch name sounds like it would be the default branch). Right now code quality will only run on the default branch and on PRs to the default branch. So when configuring the ruleset you should not configure it to cover any branch other than the default one since the rule will always block in these cases.

As @carogalvin wrote above we're looking to expand branch coverage in the future.

HoangHades Dec 4, 2025

@cannist
Thanks for the explanation, that makes sense now
I’ll update the ruleset only to target the default branch
Looking forward to the expanded branch coverage in a future release! 🙌

jsoref · 2025-11-05T14:29:36Z

jsoref
Nov 5, 2025

It needs to be easy to tell Code Quality to ignore specific files (especially minified files).

https://github.com/check-spelling-sandbox/adk-python/security/quality

src/google/adk/cli/browser/main-MIUNGJ3Y.js (295)

1 reply

carogalvin Nov 6, 2025

Thank you for this feedback!

jsoref · 2025-11-05T14:33:43Z

jsoref
Nov 5, 2025

Preview unavailable sometimes appears for minified files (but confusingly not always).

Consider:

https://github.com/check-spelling-sandbox/adk-python/security/quality/rules/js%2Funreachable-statement

Compare:

https://github.com/check-spelling-sandbox/adk-python/security/quality/rules/js%2Fuseless-expression

1 reply

jf205 Nov 5, 2025

Thanks for the report @jsoref. We will look into this!

alijrizvi · 2025-11-05T15:33:58Z

alijrizvi
Nov 5, 2025

This has the potential to be so useful! Reviewing your work and getting valuable feedback is so crucial, and this will be another way for organizations to do so; even individuals can improve their work from such feedback. Good stuff!

0 replies

grahame-student · 2025-11-06T11:00:52Z

grahame-student
Nov 6, 2025

I found this dashboard really helpful, a couple of potential features I'd love to see

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary
Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

2 replies

jf205 Nov 6, 2025

Thanks for the feedback!

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary

Please can you explain in a little more detail what you mean by this please? Clicking a specific rule takes you to a view of all the places in the code where the findings are located. How can we improve that view to make it more useful for you?

Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

Totally agree. We have plans to improve the way we display these metrics! 👍🏻

grahame-student Nov 6, 2025

Thanks for the feedback!

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary

Please can you explain in a little more detail what you mean by this please? Clicking a specific rule takes you to a view of all the places in the code where the findings are located. How can we improve that view to make it more useful for you?

When the collapsible rules were expanded, I'd expected to be able to use the individual entries to be able to navigate to those specific lines of code. I missed that the text of the collapsible rule itself could be clicked to see all of the instances!

Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

Totally agree. We have plans to improve the way we display these metrics! 👍🏻

Awesome, I look forward to seeing this feature improve further!

grahame-student · 2025-11-06T12:43:06Z

grahame-student
Nov 6, 2025

I see that CodeQL already supports C / C++, are there any plans to extend this feature to officially support them too?

1 reply

carogalvin Nov 6, 2025

Yes, expansion to C/C++ is something we'd like to get to in the future, but we do not currently have a target date for this.

UbiquitousBear · 2025-11-09T14:35:24Z

UbiquitousBear
Nov 9, 2025

Hey @carogalvin - congrats on the public preview release! I’m using it in a few personal projects, and love it!

Do you see this becoming available in GHES in a future release?

1 reply

sj Nov 14, 2025

Hi! Thanks for your question! Let me jump in here while Caro is enjoying some well-deserved time off. The new Code Quality product has AI detections (+ CodeQL) and AI remediations at its very core. At the moment, we can't offer those on GHES.

However, we're keeping a close eye on customer feedback on this front (like yours!) to help us decide whether we need to change this direction going forward. If we do, we'll make sure to announce it here and on the GitHub public roadmap.

ahmedsza · 2025-11-10T12:27:22Z

ahmedsza
Nov 10, 2025

@carogalvin
Is Code quality available for public repos? The docs seem to indicate it is but I do not see the option in settings
the docs at https://docs.github.com/en/code-security/code-quality/how-tos/enable-code-quality say - GitHub Code Quality is available for:
Public repositories on GitHub.com. When i look at settings i do not see code quality.

is there something else I need to do?

I checked a few repos and not available in any.

5 replies

charisk Nov 10, 2025

Apologies @ahmedsza, this looks like to be a mistake in our docs. The feature is not yet available to public repos that are not part of an organization. We'll fix the docs as soon as possible.

ahmedsza Nov 10, 2025

Thank @charisk . Any timelines on if/when it will be available

charisk Nov 10, 2025

Nothing we can share at the moment unfortunately.

ahmedsza Nov 10, 2025

thank you for the speedy responses @charisk

jsoref Nov 14, 2025

Fwiw, there are quite a few features that are available to organizations and not user repositories. As a non GitHub employee, I strongly encourage everyone to favor doing their work in organizations instead of in their personal account. You can create organizations for free, so you could just create one named {user}-org.

One feature that's quite valuable is being able to view hosted runners:
https://github.com/organizations/{org}/settings/actions/hosted-runners
-- your user account has a limit, but you can't see which repositories are burning through it w/o opening each repository in your user (as someone w/ >3000, that's really infeasible), but w/ an org, that isn't a problem since there's a view for it.

jacques-bernier · 2025-11-28T05:37:24Z

jacques-bernier
Nov 28, 2025

Still can't overlay test coverage. 😏

3 replies

carogalvin Nov 28, 2025

Nope, but we're working on it! :)

ajay-kumar-kone Feb 3, 2026

any updates on "Test coverage metrics"?

carogalvin Feb 3, 2026

We're working on it and it will be available by our general availability, which we're currently targeting for June.

rmuir · 2025-12-03T12:51:15Z

rmuir
Dec 3, 2025

Wanted to test on our GHE, but doesn't worked with forked pull requests...

0 replies

rstarks-aura · 2025-12-03T21:28:45Z

rstarks-aura
Dec 3, 2025

The new dismiss function is very cumbersome especially when it has multiple false positives. You have no click the dismiss button which opens a modal to select a reason and when you close the modal it scrolls back to the top of the PR review which causes you to lose your place with in the review.

We are running into this issue multiple times when it catches a potential null reference issue even though it may have been checked at a higher level in the sequence of events/methods or even if its marked required at a model level but is leveraging nullability for other technical reasons.

1 reply

AlonaHlobina Dec 4, 2025

Thank you for the feedback, @rstarks-aura. We will look into it.
May you clarify what you mean by saying:

We are running into this issue multiple times when it catches a potential null reference issue even though it may have been checked at a higher level in the sequence of events/methods or even if its marked required at a model level but is leveraging nullability for other technical reasons.

May you provide an example? Thanks

lancefrench · 2025-12-10T04:08:03Z

lancefrench
Dec 10, 2025

Our initial Code Quality testing with java revealed some missing checks that we would expect from static analysis. For example try-with-resources wasn't found in a sample PR we opened.

The integration between CodeQL custom queries and the Code Quality product is a bit murky. It seems like there are resource leak rules in the CodeQL repo, so we're a bit confused why we didn't get a hit.

2 replies

jsoref Dec 10, 2025

My presumption is that this feature is limited to the core codeql bits and not custom queries, after all, the feature should enable a user to compare differing repositories using a benchmark (the code quality reports).

carogalvin Dec 10, 2025

The CodeQL repo is a collection of all the queries that have been written/merged, but the suites that we include in the product are just a curated subset. We do not currently support custom queries/suites/packs in the code quality product, but this is something we may explore in the future.

We regularly review and adjust our queries to ensure they have high coverage without being overly noisy; thank you for your feedback and we'll take this into consideration for our next update!

jsoref · 2025-12-19T17:40:29Z

jsoref
Dec 19, 2025

I've been mostly sending feedback out of band, but there are two discussions to which I have access where people are talking about this feature, and it seemed like I should share some other notes:

Consider:

Switch to NextJS The-Scratch-Channel/tsc-web-client#192 (comment)

Problems:

The bot has the @ghost avatar instead of its own
There should be a distinct bot for when the bot is using ai and when it isn't. github-code-quality is two things and people in at least the other discussion are clearly very confused about when AI is used and when it isn't.
As someone who works with some projects that have a policy against AI contributions, it'd be convenient to be able to filter/block the AI flavor of the bot, but given that the bot appears to be saying "I'm normal github-code-quality", only later to say "p.s. I'm using copilot".

1 reply

carogalvin Dec 19, 2025

Hi @jsoref , thanks for that feedback! Definitely unusual that the ghost avatar is being used 🤔

With regards to the point about AI - in the screenshot you highlighted, the finding is done via CodeQL, but the fix is generated using Copilot. We do not have an option to disable use of AI here at this time.

Early in the new year, we will be unifying code quality with copilot code review, at which point all quality reviews will be presented through Copilot as a reviewer for both AI and non-AI findings.

mprins · 2026-01-12T09:50:12Z

mprins
Jan 12, 2026

The github-code-quality bot appears to ignore @SuppressWarnings("unused") and in a case like below flags each and every parameter with a comment.

  @JsonCreator(mode = JsonCreator.Mode.PROPERTIES)
  public TailormapOidcUserMixin(
      @SuppressWarnings("unused") @JsonProperty("claims") Map<String, Object> claims,
      @SuppressWarnings("unused") @JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
      @SuppressWarnings("unused") @JsonProperty("attributes") Map<String, Object> attributes,
      @SuppressWarnings("unused") @JsonProperty("nameAttributeKey") String nameAttributeKey,
      @SuppressWarnings("unused") @JsonProperty("oidcRegistrationName") String oidcRegistrationName,
      @SuppressWarnings("unused") @JsonProperty("additionalGroupProperties")
          Collection<TailormapAdditionalProperty> additionalGroupProperties) {
    // mixin constructor only for Jackson 2; no implementation
  }

Annoyingly it triggers again on a file after a commit to the branch (not changing the file) and even if the comments were dismissed it will generate the comments again, creating a great deal of noise, see eg. Tailormap/tailormap-api#1536

1 reply

AlonaHlobina Jan 14, 2026

Hi @mprins, thank you for the feedback. I see how the suppress comment functionality would be useful in these cases. We will look into prioritizing this, though please note that suppress comments are not currently supported by Code Quality.

Regarding the dismiss functionality, it is unintentional that it isn't working. If I understand correctly, the finding gets dismissed but then reappears in a new comment on the next commit. We'll take a closer look to investigate.

carlspring · 2026-01-14T02:48:51Z

carlspring
Jan 14, 2026

Hey guys,

I've just published an article on Medium titled "What Is GitHub Code Quality?.

This is more of an intro. I'll also have a follow-up one shortly on how to set it up and configure it.

I hope you find it useful! :)

0 replies

henriksjostrom · 2026-02-06T15:59:10Z

henriksjostrom
Feb 6, 2026

I find this mostly useful my team has been using it for around 2 months now.

However what is starting to become bother some is that we can't figure out how to disable some of the rules. If we can configure the scan the way we want we can put in restrictions etc to make this code quality metrics accurate but as is its too much false positives for us.

How can I exclude some rules from the code quality scan?

3 replies

henriksjostrom Feb 6, 2026

We'd also like to add our other scanners to code quality rather than to code scanning where its implied to be security issues rather than just code quality. How do we do this?

carogalvin Feb 6, 2026

Thanks for this feedback @henriksjostrom ! We do not currently have any way to disable individual rules, though this is something we are considering for the future (no timeline yet). Similarly we do not have the ability to add other scanners to code quality at this time.

bgrainger Feb 6, 2026

Related to disabling individual rules, I'd like to customize which files are analyzed; https://github.com/orgs/community/discussions/186446.

UbiquitousBear · 2026-02-09T14:36:32Z

UbiquitousBear
Feb 9, 2026

I see that:

GitHub Code Quality is available today for GitHub Enterprise Cloud and Team, but not available on Enterprise Server. It's free during the preview period, however scans will incur Actions minutes.

However, #1210 seems to indicate GA for this; is this or not being included in GHES 3.23?

4 replies

carogalvin Feb 9, 2026

At this time, we do not plan for GitHub Code Quality to be included in GHES 3.23, and will update the roadmap issue if this changes.

jsoref Feb 9, 2026

Can you fix the labels on GitHub Code Quality [GA] github/roadmap#1211
GitHub Code Quality [GA] github/roadmap#1211 (comment)

UbiquitousBear Feb 9, 2026

Thanks @carogalvin, can the ticket be updated appropriately in the roadmap? I’ve had management ask about it and point specifically to the ticket as linked.

carogalvin Feb 9, 2026

Thanks for calling this out, I will get it fixed and remove the GHES tags.

hfhbd · 2026-02-15T18:29:04Z

hfhbd
Feb 15, 2026

Are there any plans to support 3rd party tools via a Sarif file (uploading them via the REST api) to use Code Quality without Copilot/CodeQL as a platform feature?

7 replies

jf205 Feb 23, 2026

Ok, thanks for the extra information 👍🏻

carlspring Feb 23, 2026

How about the case, where in a large corporation you have to use several different tools, such as for example Checkmarx One, PMD, etc. where you're supposed to use one tool to scan one language and another -- for a different? (I'm not saying that they don't overlap, but in certain cases Tool A is better at catching issues, in -- say Java with frameworks X, Y, Z, the Tool B). Many of these tools have some degree of support for SARIF2 or you have to script this out yourself. With GHAS, it's possible to upload the SARIF2 report using the codeql-upload GitHub Action. It would be great, if this could somehow be integrated with Code Quality as well?

jsoref Feb 23, 2026

I feel like I, as a non GitHub staff, am missing something.

Do you find the Code Quality UI much better than the "legacy" Code scanning endpoint (https://github.com/:owner/:repository/security/code-scanning)?

https://github.com/check-spelling-sandbox/tessdoc/security/code-scanning/5797

jf205 Feb 24, 2026

@jsoref thanks for the feedback on the UI. We have built the code quality UI slightly differently from the code scanning (security-focused) experience based on our research into the way devs interact with quality findings vs security alerts. However, I do acknowledge that we haven't released the perfect UX for code quality yet. In particular I am aware that it can be improved by making it easier to browse, triage and fix/dismiss larger numbers of findings. I also really appreciate the feedback that you and others have provided for us ❤️. I'm happy to say that we'll be releasing some improvements in coming weeks.

jsoref Feb 24, 2026

@jf205: my question was more addressed to @hfhbd + @carlspring ...

certainly if you exposed the reporting endpoint publicly, I'd consider setting it up so that my tooling could use it. But I'm really wondering if there are specific reasons people would ask to have their other tools lumped into this endpoint/ux or if it's really just "we don't want people to have to use multiple different views to interact with things we think of as more or less the same".

I think at the moment there are effectively three apis for submitting sarif reports (the public endpoint used by github/codeql-action/upload-sarif, the private codeql-api [which check-spelling uses because it's far superior to the endpoint used by github/upload-sarif], and presumably the new endpoint that's used for code quality). I'd be surprised if the new endpoint actually supported more features of the sarif standard (as it happens, check-spelling hasn't really needed much of the standard, although I do now have a couple of places where I could use some basic features that I haven't bothered using -- e.g. pointing to lines that led up to a problem).

While Code Quality has a refreshed ui when compared to the Code Scanning Alerts, I'm not sure I've seen anything in the UI wrt actual alerts that would lead me to demand access to the upload API.

edgarvonk · 2026-02-23T08:40:30Z

edgarvonk
Feb 23, 2026

Is it possible to add instructions for GitHub Code Quality? We notice in our project that, unlike Copilot or other AI agents, GitHub Code Quality does not seem to 'listen' to any of our instructions in our AGENTS.md or in our .github/copilot-instructions.md. This leads to certain continuous false positives by GitHub Code Quality checks on our pull requests and this in turn leads to frustration in our team.

See for example infonl/dimpact-zaakafhandelcomponent#5357 (review) Here the issue is in our project we use the Given, When, Then BDD style convention for our Kotlin tests, and GitHub Code Quality does not seem to agree.

4 replies

AlonaHlobina Feb 23, 2026

Hi @edgarvonk,

Thanks for reaching out! While this isn’t currently on our roadmap, I’d love to learn more about your use case. Could you share a bit more about the specific types of instructions you’re looking for us to support?

jsoref Feb 23, 2026

https://github.com/infonl/dimpact-zaakafhandelcomponent/blob/main/AGENTS.md#code-conventions should have prevented the bot from writing: chore: add a PABC readiness check infonl/dimpact-zaakafhandelcomponent#5357 (comment)

edgarvonk Feb 23, 2026

Yes, that is my point indeed @jsoref :-)

edgarvonk Feb 23, 2026

E.g. Copilot itself, either as PR reviewer or in our IDEs reads our AGENT.md instructions well (and also looks at how we wrote our other existing tests, depending on which mode we run the bot), but the GitHub Code Quality bot does not seem to do any of that.

OpenSource-For-Freedom · 2026-02-24T18:25:09Z

OpenSource-For-Freedom
Feb 24, 2026

Hello Github Family, we’ve been evaluating Code Quality internally and really like the direction, I personally enjoy the deep approach of base "code" quality and maintainability updates it offers.

A major requirement for us internally is the ability to create custom code quality rules so the tool can reflect our engineering standards and architectural patterns.
From what we can tell, the current rules appear to be curated and not customizable, essentially coming “à la carte.” Is there any plan to support custom rules or rule configuration in the future?

Is support for custom rules (similar to: custom CodeQL queries, rule configuration, or similar extensibility) something that’s planned? This would be a big unlock for enterprise adoption on our side.

Thanks 🚀

0 replies

kristof-mattei · 2026-02-28T00:24:30Z

kristof-mattei
Feb 28, 2026

Is there a way to run code-quality ourselves (without the dynamic on)?

I have come up with this:

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "CodeQL"

on:
  #   dynamic:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: "32 20 * * 5"

jobs:
  analyze:
    name: Analyze (${{ matrix.language }} - ${{ matrix.analysis-kinds }})
    runs-on: "ubuntu-latest"
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        include:
          - analysis-kinds: code-scanning
            language: actions
            category: /language:actions
            config: actions.yaml
            build-mode: none
            queries: "security-extended,security-and-quality"
            upload-database: true
          - analysis-kinds: code-scanning,code-quality
            language: javascript-typescript
            category: /language:javascript-typescript
            config: typescript.yaml
            build-mode: none
            queries: "security-extended,security-and-quality"
            upload-database: true
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          show-progress: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          analysis-kinds: ${{ matrix.analysis-kinds }}
          config-file: .github/codeql/${{ matrix.config }}
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
          queries: ${{ matrix.queries }}
          dependency-caching: ${{ runner.environment == 'github-hosted' }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: ${{ matrix.category }}
          upload-database: ${{ matrix.upload-database }}

I know analysis-kinds is [Internal], but I am getting flooded with warnings of files in /dist, and I can't easily change format to remove committing compiled code to the repo (this is for a GitHub Action if you believe).

So in the config I have a paths-ignore.

Problem:

Having this workflow doesn't remove the dynamic one, and thus I don't control which one wins in terms of uploading its results. If mine wins, good results. If the dynamic one wins, bad results.

(and I don't want to put in a sleep in mine to artificially delay it so it is always the latest...)

The results above are trial and error based on `CODE_SCANNING_WORKFLOW_FILE

There are probably bugs in here (upload-database?).

1 reply

OpenSource-For-Freedom Mar 2, 2026

So I had the exact same thought.

Call the same pack, pinpoint file paths and provide the automation on trigger, push to security tab.

I wanted to dabble too in custom quieries alongside "Quality" because I see a lot of noise around items not really pertaining to the env. Great file by the way.

I'm a bigger fan of Advanced configs mostly for that: pinpoint "What do we need to see" not "What blob does the query result packs have today"

I think the strongest suite of CodeQL is that, "Custom, Open Source and expandable" and the expansiveness is the custom side of the workflow. @kristof-mattei

This comment has been minimized.

Sign in to view

This comment was marked as off-topic.

Sign in to view

GitHub Code Quality in public preview #177488

Uh oh!

Uh oh!

ebndev Oct 21, 2025 Maintainer

Who this is for

Highlights

How to try it

Coming soon

Availability and pricing

Learn more

🌟Leave a comment!

Replies: 40 comments · 94 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ebndev
Oct 21, 2025
Maintainer

Replies: 40 comments 94 replies