Allow periodic scanning of inactive repos [GA] (#61312)

isaacmbrown · Copilot · web-flow · commit 1ec8d5ab4b15 · 2026-06-12T12:03:58.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/content/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning.md b/content/code-security/how-tos/find-and-fix-code-vulnerabilities/configure-code-scanning/configure-code-scanning.md
@@ -77,7 +77,7 @@ Your repository is eligible for default setup for {% data variables.product.prod
 1. Optionally, to view your default setup configuration after enablement, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click **{% octicon "gear" aria-hidden="true" aria-label="gear" %} View {% data variables.product.prodname_codeql %} configuration**.
 
 > [!NOTE]
-> If no pushes and pull requests have occurred in a repository with default setup enabled for 6 months, the weekly schedule will be disabled to save your {% data variables.product.prodname_actions %} minutes.
+> If no pushes and pull requests have occurred in a repository with default setup enabled for 6 months, the weekly schedule will be disabled to save your {% data variables.product.prodname_actions %} minutes.{% ifversion code-scanning-inactive-repos %} Organization owners can enable monthly scans of inactive repositories. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#continuing-scans-on-inactive-repositories).{% endif %}
 
 {% ifversion fpt or ghec %}
 
diff --git a/content/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/edit-default-setup.md b/content/code-security/how-tos/find-and-fix-code-vulnerabilities/manage-your-configuration/edit-default-setup.md
@@ -83,6 +83,19 @@ For more information about {% data variables.product.prodname_codeql %} model pa
 
 1. The model packs will be automatically detected and used when {% data variables.product.prodname_code_scanning %} runs on any repository in the organization with default setup enabled.
 
+{% ifversion code-scanning-inactive-repos %}
+
+## Continuing scans on inactive repositories
+
+{% data reusables.code-scanning.inactive-repos-scan %} You can override this behavior in an organization, though the scan period is not configurable.
+
+{% data reusables.profile.access_org %}
+{% data reusables.organizations.org_settings %}
+{% data reusables.security-configurations.display-global-settings %}
+1. In the "{% data variables.product.prodname_code_scanning_caps %}" section, enable the **Keep scheduled scans running every 30 days for inactive repositories** setting.
+
+{% endif %}
+
 ## Further customization
 
 If you need to change any other aspects of your {% data variables.product.prodname_code_scanning %} configuration, consider configuring advanced setup. See [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning).
diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/code-scanning-at-scale.md
@@ -33,9 +33,9 @@ A repository must meet all the following criteria to be eligible for default set
 
 You can enable default setup for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).
 
-### Extending {% data variables.product.prodname_codeql %} coverage in default setup
+### Configuring default setup features
 
-Through your organization's security settings page, you can extend coverage in default setup using model packs for all eligible repositories in your organization. For more information, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization).
+Through your organization's security settings page, you can customize default setup for all eligible repositories, such as extending coverage using model packs. See [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup).
 
 ## Configuring default setup for a subset of repositories in an organization
 
diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md
@@ -105,6 +105,9 @@ You can customize several {% data variables.product.prodname_global_settings %}
 {% ifversion code-scanning-autofix %}* [Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %}](#enabling-copilot-autofix-for-codeql){% endif %}
 * [Recommending the extended query suite for default setup](#recommending-the-extended-query-suite-for-default-setup)
 * [Expanding {% data variables.product.prodname_codeql %} analysis](#expanding-codeql-analysis)
+{%- ifversion code-scanning-inactive-repos %}
+* [Continuing scans on inactive repositories](#continuing-scans-on-inactive-repositories)
+{%- endif %}
 
 {% endif %}
 
@@ -124,6 +127,14 @@ You can select **{% data variables.copilot.copilot_autofix_short %}** to enable
 
 You can expand {% data variables.product.prodname_codeql %} analysis coverage for all repositories in your organization that use default setup by configuring {% data variables.product.prodname_codeql %} model packs. Model packs extend the {% data variables.product.prodname_codeql %} analysis to recognize additional frameworks and libraries that are not included in the standard {% data variables.product.prodname_codeql %} libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization).
 
+{% ifversion code-scanning-inactive-repos %}
+
+### Continuing scans on inactive repositories
+
+{% data reusables.code-scanning.inactive-repos-scan %} You can select **Keep scheduled scans running every 30 days for inactive repositories** to override this behavior in an organization. The scan period is not configurable.
+
+{% endif %}
+
 ## Configuring global {% data variables.product.prodname_secret_scanning %} settings
 
 {% data reusables.security-configurations.secret-scanning-security-configs-summary %}
diff --git a/data/features/code-scanning-inactive-repos.yml b/data/features/code-scanning-inactive-repos.yml
@@ -0,0 +1,5 @@
+# Ref: 22601
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>= 3.22'
diff --git a/data/reusables/code-scanning/inactive-repos-scan.md b/data/reusables/code-scanning/inactive-repos-scan.md
@@ -0,0 +1 @@
+By default, {% data variables.product.prodname_code_scanning %} default setup pauses weekly scheduled scans on repositories that have had no commits pushed or pull requests opened for 180 days.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+By default, {% data variables.product.prodname_code_scanning %} default setup pauses weekly scheduled scans on repositories that have had no commits pushed or pull requests opened for 180 days.`