GitHub Code Quality in public preview

[ebndev]

GitHub Code Quality is now available in public preview! It turns every pull request into an opportunity to improve. With in-context findings, one-click Copilot fixes, and reliability and maintainability scores, you spend less time chasing nits and more time building. It’s there when you need it most, surfacing quality issues both in the pull request and the backlog so you can fix technical debt on your schedule.

Who this is for

Developers and engineering teams who want in‑context feedback about the quality of their code and an easier way to turn technical debt into reviewable fixes.

Highlights

• One-click enablement: Try GitHub Code Quality quickly and easily.
• Actionable findings: CodeQL-based quality rules detect maintainability and reliability issues in Java, C#, Python, JavaScript, Go, and Ruby.
• Reviews in context: See quality findings directly in the pull request with guidance you can immediately act on.
• Track progress with quality scores: Quality repository view groups findings by rule so you can prioritize fixes, while reliability and maintainability scores summarize their severity to help you target improvements.

How to try it

1. If your organization has preview features enabled, go to Settings > Code quality in your repository and enable the feature.
2. Open a pull request in a supported language and review any inline findings and autofix suggestions.
3. If you don’t have access yet, ask an organization admin to enable the preview flag for your organization. See more in our documentation on enabling Code Quality.

Coming soon

• Organization-level dashboards and enablement to manage code quality at scale.
• Test coverage metrics to provide actionable quality data.
• APIs to programmatically fetch code quality data or enable it at scale.
• Copilot-powered quality recommendations for pull requests to supplement static analysis findings.

Availability and pricing

GitHub Code Quality is available today for GitHub Enterprise Cloud and Team, but not available on Enterprise Server. It's free during the preview period, however scans will incur Actions minutes.

Learn more

Check out our GitHub Code Quality documentation

🌟Leave a comment!

Join the discussion and leave feedback in the comments below!

Disclaimer: The UI for features in public preview is subject to change.

[stasostrovskyi]

This is an amazing feature! Especially great to see a blend of AI scan and CodeQL. I have couple of questions:

• Is it the same logic under the hood that is used for new copilot review and this feature?
• Is it possible (or is it considered on the roadmap) to customize codeql workflow used by code quality? Our use case would require running on self-hosted agents (which is already available) and have access to the dependency cache so that workflow wouldn't spend a lot of time on downloading dependencies but rather go straight to the analysis?

[carogalvin]

@EelcoLos unfortunately we don't have a specific plan for that at this time :(

[EelcoLos]

@carogalvin is there going to then be at least adherence to the 'dynamics' part of the CodeQL - Code Quality / Analyze (csharp) (dynamic) dynamic part?. I have PR's that update a package.json and there's a 8 min c# analysis because the monorepo has c#. And if not, not account for github action minutes as it's uncontrollable on my end, except for entirely disabling it?

[BOLT04]

@EelcoLos thank you! We are not currently planning on replicating the advanced workflow in Code Quality, but will consider incorporating similar configuration options via the UI.

hi @EelcoLos , do you know by any chance what configuration options we'll have in the UI? For me, the most important is the trigger, I don't want this workflow on every single commit and I want it to be able to not run if the unit tests workflow is still running. It spends github actions minutes, so any configuration to optimize this would be great!

If you can provide any feedback I appreciate it, thanks 🙂

[carogalvin]

Hi @BOLT04 , we don't have specific items on our roadmap right now for which configuration options we will be adding. Thank you for feedback/request!

[carogalvin]

@EelcoLos

@carogalvin is there going to then be at least adherence to the 'dynamics' part of the CodeQL - Code Quality / Analyze (csharp) (dynamic) dynamic part?. I have PR's that update a package.json and there's a 8 min c# analysis because the monorepo has c#. And if not, not account for github action minutes as it's uncontrollable on my end, except for entirely disabling it?

If you're having trouble with your CodeQL scans, I recommend discussing in the CodeQL open source repo: https://github.com/github/codeql

[marwin1991]

Also, we just turned on GitHub Code Quality for our open source organisation!

Check it out here: github.com/logchange

Thanks to the GitHub team for creating this feature — it’s already making our reviews smoother! 🚀

[eai04191]

In my repository, I encountered an error and was unable to enable the Code quality feature while the "Require actions to be pinned to a full-length commit SHA" setting was enabled in Actions permissions.

As soon as I disabled this full-length SHA requirement, I was able to enable the feature immediately.

Are these two compatible?

[garrettld]

I ran into this same problem. Even if actions/* and github/codeql-action/* are allowed, this error still appears until you uncheck the "Require actions to be pinned to a full-length commit SHA"

Unchecking the checkbox allows you to enable Code Quality on a repo, and once that's done code quality scans appear to work fine even once you re-check the checkbox.

[carogalvin]

👋 Hey, I'm the PM who owns this feature at GitHub!

We are working right now on being able to enable this feature even with those particular actions policies; this should be available by the end of November.

[jsoref]

@carogalvin did this happen? (We're in december)

[carogalvin]

@jsoref yes! https://github.blog/changelog/2025-11-25-code-scanning-default-setup-bypasses-github-actions-policy-blocks/

[sstrullmyer]

Great to see this come to public preview!

Do you anticipate enabling additional quality checkers to provide results to GitHub Code Quality, similar to how GHAS supports uploading SARIF files from tools which are capable of exporting data in that format?

For example, our developers already use popular tools for their respective ecosystems (e.g., ruff for Python) locally and in their pipelines, and being able to understand these code quality findings at scale through GitHub Code Quality would be incredibly helpful

[carogalvin]

@sstrullmyer thanks for your feedback! We don't have 3rd party extensibility on our roadmap at the moment, but I've made note of your feedback.

[anviren]

A common workaround is a single consolidated PR gate fed by external analyzers. We’re doing this for architecture drift (PR-delta, low noise). Free GitHub app: https://github.com/apps/revieko-architecture-drift-radar

[mbenson-smartx]

This is great and looks like its finding some real issues. It really needs to run on PR and allow the repo to gate based on level (i.e. Warning Error)

[sstrullmyer]

Is this what you have in mind: https://docs.github.com/en/code-security/code-quality/how-tos/set-pr-thresholds#adding-or-updating-a-ruleset-to-include-code-quality

[mbenson-smartx]

Maybe. I am trying to prevent code getting into main but the code quality appears to only run on main. I want the developer to know as early in the cycle as possible that they need to repair it. I see that a code quality check ran on a PR but I don't see any results.

[carogalvin]

Thanks for the feedback! Yes, right now code quality will only run on the default branch and on PRs to the default branch. We're looking to expand branch coverage in the future!

[mbenson-smartx]

Thanks for the feedback! Yes, right now code quality will only run on the default branch and on PRs to the default branch. We're looking to expand branch coverage in the future!

Thanks for the update! Loving it so far.

[ica-ft]

Is there some way to get the Code Quality info via the Github API's?

[carogalvin]

👋 Hi @ica-ft , I'm the PM who worked on this feature! We do not have APIs available yet but will be working on those soon; what sort of information will you want to pull from the APIs?

[ica-ft]

Hey @carogalvin, and thanks for getting back so quickly.

Thinking from a platform perspective, maybe one endpoint for a list of issues found, and an endpoint that gives the total nr of issues. Both endpoints filterable on Severity, Category and language. It would also be nice if the API's could carry a link to the filtered list on Github so you can jump over to more actions on GH.

[carogalvin]

@ica-ft thanks for your feedback!

[zeenix]

Java, C#, Python, JavaScript, Go, and Ruby.

Did you forget to mention Rust or is that somehow not supported despite being the most loved language for several years in a row (according to stackoverflow)? 🤔

[carogalvin]

Hi @zeenix , we don't currently support Rust but are hoping to in the future.

[HoangHades]

I tried to set code quality thresholds for pull requests
However, the merging is blocked with the message Code quality results are pending even if CodeQL passed

[HoangHades]

@cannist
We still got the trouble....

[cannist]

Hmm, ok. And this persists and does not resolve itself a bit later, @HoangHades? Even if you reload the page? After the workflow has finished we still need to process the uploaded results which could add a bit of delay but should not take too long.
Would you be comfortable sharing a link to the PR? We might have to dig a bit into the logs to find out what is happening here.

[HoangHades]

@cannist

You can investigate in [this PR]

[cannist]

Thank you, @HoangHades. I was able to figure out what is happening here. The PR you linked is not a PR against your default branch (even though the branch name sounds like it would be the default branch). Right now code quality will only run on the default branch and on PRs to the default branch. So when configuring the ruleset you should not configure it to cover any branch other than the default one since the rule will always block in these cases.

As @carogalvin wrote above we're looking to expand branch coverage in the future.

[HoangHades]

@cannist
Thanks for the explanation, that makes sense now
I’ll update the ruleset only to target the default branch
Looking forward to the expanded branch coverage in a future release! 🙌

[jsoref]

It needs to be easy to tell Code Quality to ignore specific files (especially minified files).

https://github.com/check-spelling-sandbox/adk-python/security/quality

src/google/adk/cli/browser/main-MIUNGJ3Y.js (295)

[carogalvin]

Thank you for this feedback!

[jsoref]

Preview unavailable sometimes appears for minified files (but confusingly not always).

Consider:

https://github.com/check-spelling-sandbox/adk-python/security/quality/rules/js%2Funreachable-statement

Compare:

https://github.com/check-spelling-sandbox/adk-python/security/quality/rules/js%2Fuseless-expression

[jf205]

Thanks for the report @jsoref. We will look into this!

[alijrizvi]

This has the potential to be so useful! Reviewing your work and getting valuable feedback is so crucial, and this will be another way for organizations to do so; even individuals can improve their work from such feedback. Good stuff!

[grahame-student]

I found this dashboard really helpful, a couple of potential features I'd love to see

• Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary
• Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

[jf205]

Thanks for the feedback!

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary

Please can you explain in a little more detail what you mean by this please? Clicking a specific rule takes you to a view of all the places in the code where the findings are located. How can we improve that view to make it more useful for you?

Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

Totally agree. We have plans to improve the way we display these metrics! 👍🏻

[grahame-student]

Thanks for the feedback!

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary

Please can you explain in a little more detail what you mean by this please? Clicking a specific rule takes you to a view of all the places in the code where the findings are located. How can we improve that view to make it more useful for you?

When the collapsible rules were expanded, I'd expected to be able to use the individual entries to be able to navigate to those specific lines of code. I missed that the text of the collapsible rule itself could be clicked to see all of the instances!

Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

Totally agree. We have plans to improve the way we display these metrics! 👍🏻

Awesome, I look forward to seeing this feature improve further!

[grahame-student]

I see that CodeQL already supports C / C++, are there any plans to extend this feature to officially support them too?

[carogalvin]

Yes, expansion to C/C++ is something we'd like to get to in the future, but we do not currently have a target date for this.

[UbiquitousBear]

Hey @carogalvin - congrats on the public preview release! I’m using it in a few personal projects, and love it!

Do you see this becoming available in GHES in a future release?

[sj]

Hi! Thanks for your question! Let me jump in here while Caro is enjoying some well-deserved time off. The new Code Quality product has AI detections (+ CodeQL) and AI remediations at its very core. At the moment, we can't offer those on GHES.

However, we're keeping a close eye on customer feedback on this front (like yours!) to help us decide whether we need to change this direction going forward. If we do, we'll make sure to announce it here and on the GitHub public roadmap.

[ahmedsza]

@carogalvin
Is Code quality available for public repos? The docs seem to indicate it is but I do not see the option in settings
the docs at https://docs.github.com/en/code-security/code-quality/how-tos/enable-code-quality say - GitHub Code Quality is available for:
Public repositories on GitHub.com. When i look at settings i do not see code quality.

is there something else I need to do?

I checked a few repos and not available in any.

[charisk]

Apologies @ahmedsza, this looks like to be a mistake in our docs. The feature is not yet available to public repos that are not part of an organization. We'll fix the docs as soon as possible.

[ahmedsza]

Thank @charisk . Any timelines on if/when it will be available

[charisk]

Nothing we can share at the moment unfortunately.

[ahmedsza]

thank you for the speedy responses @charisk

[jsoref]

Fwiw, there are quite a few features that are available to organizations and not user repositories. As a non GitHub employee, I strongly encourage everyone to favor doing their work in organizations instead of in their personal account. You can create organizations for free, so you could just create one named {user}-org.

One feature that's quite valuable is being able to view hosted runners:
https://github.com/organizations/{org}/settings/actions/hosted-runners
-- your user account has a limit, but you can't see which repositories are burning through it w/o opening each repository in your user (as someone w/ >3000, that's really infeasible), but w/ an org, that isn't a problem since there's a view for it.

[henriksjostrom]

I find this mostly useful my team has been using it for around 2 months now.

However what is starting to become bother some is that we can't figure out how to disable some of the rules. If we can configure the scan the way we want we can put in restrictions etc to make this code quality metrics accurate but as is its too much false positives for us.

How can I exclude some rules from the code quality scan?

[henriksjostrom]

We'd also like to add our other scanners to code quality rather than to code scanning where its implied to be security issues rather than just code quality. How do we do this?

[carogalvin]

Thanks for this feedback @henriksjostrom ! We do not currently have any way to disable individual rules, though this is something we are considering for the future (no timeline yet). Similarly we do not have the ability to add other scanners to code quality at this time.

[bgrainger]

Related to disabling individual rules, I'd like to customize which files are analyzed; https://github.com/orgs/community/discussions/186446.

[UbiquitousBear]

I see that:

GitHub Code Quality is available today for GitHub Enterprise Cloud and Team, but not available on Enterprise Server. It's free during the preview period, however scans will incur Actions minutes.

However, #1210 seems to indicate GA for this; is this or not being included in GHES 3.23?

[carogalvin]

At this time, we do not plan for GitHub Code Quality to be included in GHES 3.23, and will update the roadmap issue if this changes.

[jsoref]

• Can you fix the labels on GitHub Code Quality [GA] github/roadmap#1211
• GitHub Code Quality [GA] github/roadmap#1211 (comment)
  

[UbiquitousBear]

Thanks @carogalvin, can the ticket be updated appropriately in the roadmap? I’ve had management ask about it and point specifically to the ticket as linked.

[carogalvin]

Thanks for calling this out, I will get it fixed and remove the GHES tags.

[hfhbd]

Are there any plans to support 3rd party tools via a Sarif file (uploading them via the REST api) to use Code Quality without Copilot/CodeQL as a platform feature?

[jf205]

Ok, thanks for the extra information 👍🏻

[carlspring]

How about the case, where in a large corporation you have to use several different tools, such as for example Checkmarx One, PMD, etc. where you're supposed to use one tool to scan one language and another -- for a different? (I'm not saying that they don't overlap, but in certain cases Tool A is better at catching issues, in -- say Java with frameworks X, Y, Z, the Tool B). Many of these tools have some degree of support for SARIF2 or you have to script this out yourself. With GHAS, it's possible to upload the SARIF2 report using the codeql-upload GitHub Action. It would be great, if this could somehow be integrated with Code Quality as well?

[jsoref]

I feel like I, as a non GitHub staff, am missing something.

Do you find the Code Quality UI much better than the "legacy" Code scanning endpoint (https://github.com/:owner/:repository/security/code-scanning)?

https://github.com/check-spelling-sandbox/tessdoc/security/code-scanning/5797

[jf205]

@jsoref thanks for the feedback on the UI. We have built the code quality UI slightly differently from the code scanning (security-focused) experience based on our research into the way devs interact with quality findings vs security alerts. However, I do acknowledge that we haven't released the perfect UX for code quality yet. In particular I am aware that it can be improved by making it easier to browse, triage and fix/dismiss larger numbers of findings. I also really appreciate the feedback that you and others have provided for us ❤️. I'm happy to say that we'll be releasing some improvements in coming weeks.

[jsoref]

@jf205: my question was more addressed to @hfhbd + @carlspring ...

certainly if you exposed the reporting endpoint publicly, I'd consider setting it up so that my tooling could use it. But I'm really wondering if there are specific reasons people would ask to have their other tools lumped into this endpoint/ux or if it's really just "we don't want people to have to use multiple different views to interact with things we think of as more or less the same".

I think at the moment there are effectively three apis for submitting sarif reports (the public endpoint used by github/codeql-action/upload-sarif, the private codeql-api [which check-spelling uses because it's far superior to the endpoint used by github/upload-sarif], and presumably the new endpoint that's used for code quality). I'd be surprised if the new endpoint actually supported more features of the sarif standard (as it happens, check-spelling hasn't really needed much of the standard, although I do now have a couple of places where I could use some basic features that I haven't bothered using -- e.g. pointing to lines that led up to a problem).

While Code Quality has a refreshed ui when compared to the Code Scanning Alerts, I'm not sure I've seen anything in the UI wrt actual alerts that would lead me to demand access to the upload API.

[edgarvonk]

Is it possible to add instructions for GitHub Code Quality? We notice in our project that, unlike Copilot or other AI agents, GitHub Code Quality does not seem to 'listen' to any of our instructions in our AGENTS.md or in our .github/copilot-instructions.md. This leads to certain continuous false positives by GitHub Code Quality checks on our pull requests and this in turn leads to frustration in our team.

See for example infonl/dimpact-zaakafhandelcomponent#5357 (review) Here the issue is in our project we use the Given, When, Then BDD style convention for our Kotlin tests, and GitHub Code Quality does not seem to agree.

[jsoref]

• https://github.com/infonl/dimpact-zaakafhandelcomponent/blob/main/AGENTS.md#code-conventions should have prevented the bot from writing: chore: add a PABC readiness check infonl/dimpact-zaakafhandelcomponent#5357 (comment)

[edgarvonk]

Yes, that is my point indeed @jsoref :-)

[edgarvonk]

E.g. Copilot itself, either as PR reviewer or in our IDEs reads our AGENT.md instructions well (and also looks at how we wrote our other existing tests, depending on which mode we run the bot), but the GitHub Code Quality bot does not seem to do any of that.

[thirstyape]

This.

I've just enabled GH Code Quality on several repos and the results remind me of the kind of thing that Copilot Code Review would spit out in its early days and prior to implementation of .github/copilot-instructions.md. The suggestions I am seeing are primarily stylistic items that really are more of opinion than quality.

One prime example being use of ternary instead of if/else. It seems like the larger context is completely ignored when this type of issue is detected. But in reality there are reasons to use the ternary operator and there are reasons to use an if/else statement; both have their place. My team, myself, and now even Copilot are all implementing these in a way that works well and is easily maintainable. So when I go to do a code review and it is littered with this type of fix, it really burns both my time and remaining brain power for the day.

In our case, the customization aspect is key. The existing combination of organization level and repo level instructions would work well; however, having a different set of instructions would also work, for example .github/code-quality-instructions.md.

I will probably disable the feature on most repos for now as it is just a distraction. Hope to see some progress on customization soon :)

Also, here is a snippet from our org customizations that saves me a ton of headache due to pointless suggestions for over-optimization and stylistic only changes.

**Do NOT flag these as issues (unless they cause a bug or measurable perf harm):**
- Stylistic boolean negation preferences (e.g., `!myVariable` vs `myVariable == false`).
- Ternary suggestions where both branches assign to the same variable—do not propose refactors solely for style.

[carogalvin]

@thirstyape thank you for this additional feedback!

[OpenSource-For-Freedom]

Hello Github Family, we’ve been evaluating Code Quality internally and really like the direction, I personally enjoy the deep approach of base "code" quality and maintainability updates it offers.

• A major requirement for us internally is the ability to create custom code quality rules so the tool can reflect our engineering standards and architectural patterns.

• From what we can tell, the current rules appear to be curated and not customizable, essentially coming “à la carte.” Is there any plan to support custom rules or rule configuration in the future?

Is support for custom rules (similar to: custom CodeQL queries, rule configuration, or similar extensibility) something that’s planned? This would be a big unlock for enterprise adoption on our side.

Thanks 🚀

[carogalvin]

@OpenSource-For-Freedom I'm glad that you have been liking the direction of the tool so far!

We do expect to bring rule customization to the tool in the future, but don't have specific plans yet around what this would look like. What sort of architectural patterns would you want to be able to scan for?

[kristof-mattei]

Is there a way to run code-quality ourselves (without the dynamic on)?

I have come up with this:

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "CodeQL"

on:
  #   dynamic:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: "32 20 * * 5"

jobs:
  analyze:
    name: Analyze (${{ matrix.language }} - ${{ matrix.analysis-kinds }})
    runs-on: "ubuntu-latest"
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        include:
          - analysis-kinds: code-scanning
            language: actions
            category: /language:actions
            config: actions.yaml
            build-mode: none
            queries: "security-extended,security-and-quality"
            upload-database: true
          - analysis-kinds: code-scanning,code-quality
            language: javascript-typescript
            category: /language:javascript-typescript
            config: typescript.yaml
            build-mode: none
            queries: "security-extended,security-and-quality"
            upload-database: true
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          show-progress: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          analysis-kinds: ${{ matrix.analysis-kinds }}
          config-file: .github/codeql/${{ matrix.config }}
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
          queries: ${{ matrix.queries }}
          dependency-caching: ${{ runner.environment == 'github-hosted' }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          category: ${{ matrix.category }}
          upload-database: ${{ matrix.upload-database }}

I know analysis-kinds is [Internal], but I am getting flooded with warnings of files in /dist, and I can't easily change format to remove committing compiled code to the repo (this is for a GitHub Action if you believe).

So in the config I have a paths-ignore.

Problem:

Having this workflow doesn't remove the dynamic one, and thus I don't control which one wins in terms of uploading its results. If mine wins, good results. If the dynamic one wins, bad results.

(and I don't want to put in a sleep in mine to artificially delay it so it is always the latest...)

The results above are trial and error based on `CODE_SCANNING_WORKFLOW_FILE

There are probably bugs in here (upload-database?).

[carogalvin]

We do not currently support manual runs of code quality. What are you looking to do with the advanced setup that you have described versus the dynamic workflow?

[jsoref]

The key is to exclude garbage:

I know analysis-kinds is [Internal], but I am getting flooded with warnings of files in /dist ...

If you had excludes, that'd solve a lot (I tripped on this when I was using code quality -- the repository I used has /vendor code that isn't interesting to the repository owners -- they'll update eventually).

[kristof-mattei]

We do not currently support manual runs of code quality. What are you looking to do with the advanced setup that you have described versus the dynamic workflow?

Path exclusion.

[henriksjostrom]

Ideally, a full config file with path exclusions, specific patters being warnings other being errors and yet others being entirely disabled or just valid for certain jobs.

Even other tools would be helpful like golang ci lint and eslint etc.

Pretty much what we can already do by defining our own jobs and uploading sarif files but putting the results under code quality instead.

[carogalvin]

Ah, this makes a lot of sense, thank you

[DockedFerret800]

Is there a way to pick which AI model to use when assigning Code Quality suggestions to Copilot, like it's possible to pick in other places. Furthermore, would it be possible to do "batch fix" for generate fix button when there are multiple suggestions on the standard finding page?

[carogalvin]

Hi @DockedFerret800 , for our autofix and detection abilities, we will not be adding the ability to choose the model. Our team selects models based on careful evals to maximize the quality and correctness of the proposed fixes.

We are working on the ability to batch fixes on the standard findings page, and expect that this will be available in the next 3ish months.

[domenicovent]

Hello! We have just started using code quality, and we have a case where we have a monorepo, with BE APIs in C# and FE solution in React/TypeScript.
The issue is that currently CodeQL detects TypeScript as the language of the repo and runs on that assumption.
Is there a way to instruct to analyze for other languages as well?
Or are they dynamically added/detected also in later stages?

[carogalvin]

Hi @domenicovent ! CodeQL should be detecting and scanning all the languages in the repo. Do you see anything in the setup or scan Actions logs that could explain this discrepancy? On the repo settings page for Code Quality, does it only show TypeScript as the language scanned?

[domenicovent]

Hello @carogalvin thanks for your reply.
You are right it does, it took nearly 1 day, but now the C# option appeared in the codeQL panel.

So is working fine :)

[carogalvin]

Great! Glad to hear. Weird that it took so long 🤔

[domenicovent]

Maybe it waited for the branch containing most of the C# code to be fully merged?

[keith-oak]

Feature Request: Locale/language awareness for AI findings

Code Quality AI findings is flagging standard Australian English spellings (colour, organisation, customisation) as spelling errors across our repo's changelogs. These are correct — we're an Australian company writing in Australian English.

The problem: There's no way to tell the scanner what regional English variant a repo uses. It appears to only recognise American English spellings.

Signals the scanner could already use (all already set in our case):

Signal	Our Value	Where
GitHub profile location	Brisbane, Australia	User profile
macOS system locale	en_AU	OS-level
macOS language preference	en-AU	OS-level
.github/copilot-instructions.md	Uses colour 50+ times consistently	Repo root
CLAUDE.md	"Use Australian English spelling (organisation, colour, behaviour)"	Repo root
Repo content	Consistent AU English across all files	Entire codebase

Suggested solutions (any would work):

1. Locale config — a .github/code-quality.yml with a locale: en-AU setting
2. Respect existing signals — read .github/copilot-instructions.md, repo language patterns, or user profile location to infer locale
3. Custom word allowlist — let repos define accepted words/spellings
4. Suppress spelling-category findings — allow disabling specific finding categories

This is a real-world example: LucidLabsAU/lucid-labs-vscode-theme — an open-source VS Code theme factory with 15 branded extensions, all using Australian English throughout.

Dismissing individually works as a workaround, but the findings will likely resurface on future pushes to those files.

[carogalvin]

Hi @keith-oak , thank you for raising this!

[jf205]

Hi @keith-oak

Thanks for raising this. Just to confirm: you are seeing these suggestion in the AI findings at security/quality/ai-findings rather then as comments on pull requests?

[dezren39]

hi when will there be an api call to enable this per repo?

[carogalvin]

I don't know the exact date yet but you can expect this within the next 3 months!

[jshiell]

Is there a way to specify a manual build command?

For example, we have a mono-repo with Python and Kotlin projects in subdirectories. The autobuild script fails as it detects build files in more than one subfolder (Cannot auto-detect a single build directory. - which is legit, as they're related but independent builds). Hence we need a sensible way to give it an explicit build command for the Kotlin projects (or call the individual projects in subdirectories).

[carogalvin]

Not at this time!

[jshiell]

Thank you.

In which case, feedback would be that this would be critical for this to be useful to us.

Some UX feedback as well - this setup has confused people in our org as they expect it to be linked to a Workflow file in the repo like other workflows (and it's not); and the workflow name (CodeQL) adds confusion when there are other CodeQL workflows in the repo (e.g. for analysis).

They do like the output, though!

[carogalvin]

Great, thanks for that feedback!

[M324j]

Great work

[naqvi110k]

Subject: My team's experience with Code Quality so far (candid feedback)

Hey everyone, thanks for shipping this. My team has been testing the public preview on a few of our internal repos for the past couple of weeks, and I wanted to share some raw, honest feedback from the trenches.

The good (seriously):

The inline PR comments are a game-changer. No more context switching to a separate dashboard. My junior devs are actually seeing the maintainability issues as they review code, not just ignoring a failed CI check.

One-click Copilot fixes work surprisingly well for about 70% of the trivial stuff (unused imports, simple null checks). That alone has saved us a few hours of busywork.

The frustrating (please read):

False positive noise is real. It flagged a standard try-catch-finally block in our Java service as a "reliability risk" because the catch was too broad. That’s the pattern across our entire codebase. Without a way to suppress specific rules per file or directory, we’re just dismissing the same comment on every PR. We can’t turn off the rule entirely, but we also can't live with the noise.

No way to fail a PR. This is the biggest blocker for us. Right now it’s just a "nice to have" suggestion. We need a setting that says "If a new Critical reliability issue is introduced, block the merge." Without that, my senior devs are just ignoring the whole feature because it doesn't enforce anything.

The "dynamic" workflow is a black box. One of our PRs triggered an 8-minute C# analysis… for a change that only updated a Markdown file. We have no way to tell it to ignore certain paths or only run on specific file extensions. Burning Actions minutes on irrelevant scans is a non-starter for our finance team.

The question:
Is there any hidden config file or API endpoint we can use to at least disable rules or exclude paths? If not, are those on the roadmap for the GA release? We want to adopt this, but in its current form, the noise and lack of control mean we’ll likely have to turn it off.

Thanks for listening.

[carogalvin]

Hi @naqvi110k , thank you for this detailed feedback! Disabling rules and excluding paths is on our roadmap, but unfortunately won't be available by GA (June) - more likely later in 2026.

One thing I wanted to mention is that we do have the ability to fail PRs based on the severity of findings today - you can find this in the repo rulesets feature!