Security configurations: Add new troubleshooting article for advanced setup (#56913)

felicitymay · Copilot · mchammer01 · web-flow · commit 30c1bb4a635a · 2025-08-01T09:55:57.000Z
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: mc &lt;42146119+mchammer01@users.noreply.github.com&gt;
diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md
@@ -15,21 +15,21 @@ topics:
 
 ## About the problem
 
-You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale.
+You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that has an active configuration of advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of the repositories they are applied to, so they are not intended to be overridden at scale.
+
+### Active advanced setup
 
 If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} set to "Enabled" to a repository that already uses advanced setup, security settings will be applied as follows:
 
 * **{% data variables.product.prodname_code_scanning_caps %} default setup will not be enabled**, and advanced setup will continue to run as normal.
 * **All other security features enabled in the configuration will be enabled.**
 * **The {% data variables.product.prodname_security_configuration %} will not be attached** to the repository, since only some features from the configuration are enabled.
 
-For all repositories without an active advanced setup, the {% data variables.product.prodname_security_configuration %} will be applied as expected, and {% data variables.product.prodname_code_scanning %} default setup will be enabled.
+### Inactive or absent advanced setup
+
+{% data reusables.code-scanning.inactive-advanced-setup %}
 
-> [!NOTE]
-> If advanced setup is considered inactive for a repository, default setup _will_ still be enabled for that repository. Advanced setup is considered inactive for a repository if the repository meets any of the following criteria:
-> * The latest {% data variables.product.prodname_codeql %} analysis is more than 90 days old
-> * All {% data variables.product.prodname_codeql %} configurations have been deleted
-> * The workflow file has been deleted or disabled (exclusively for YAML-based advanced setup)
+If there is no advanced setup or the advanced setup is inactive, then default setup is enabled and the {% data variables.product.prodname_security_configuration %} applied as expected.
 
 ## Solving the problem
 
diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/index.md
@@ -1,6 +1,6 @@
 ---
 title: Troubleshooting security configurations
-shortTitle: Troubleshooting configurations
+shortTitle: Troubleshoot configurations
 intro: 'To successfully apply a {% data variables.product.prodname_security_configuration %}, you may need to troubleshoot unexpected issues.'
 versions:
   feature: security-configurations
@@ -11,6 +11,7 @@ topics:
   - Security
 children:
   - /a-repository-is-using-advanced-setup-for-code-scanning
+  - /unexpected-default-setup
   - /not-enough-github-advanced-security-licenses
   - /feature-disappears
 ---
diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/unexpected-default-setup.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/unexpected-default-setup.md
@@ -0,0 +1,33 @@
+---
+title: Default setup for code scanning overrides advanced setup
+shortTitle: Unexpected default setup
+intro: 'You apply a {% data variables.product.prodname_security_configuration %} with "Enabled with advanced setup allowed" and the existing advanced setup for {% data variables.product.prodname_code_scanning %} is ignored in some repositories.'
+permissions: '{% data reusables.permissions.security-org-enable %}'
+versions:
+  feature: security-configurations
+topics:
+  - Code Security
+  - Organizations
+  - Security
+---
+
+## About the problem
+
+When you apply a {% data variables.product.prodname_security_configuration %} and {% data variables.product.prodname_code_scanning %} is defined as "Enabled with advanced setup allowed", each repository is checked to see if there is an existing, active, advanced setup.
+
+* **No change to {% data variables.product.prodname_code_scanning %}** if an **active** advanced setup configuration is detected.
+* **Default setup is enabled** for repositories where advanced setup is **inactive or absent**.
+
+### Inactive or absent advanced setup
+
+{% data reusables.code-scanning.inactive-advanced-setup %}
+
+## Solving the problem
+
+This solution has two parts:
+
+1. Any repositories where default setup for {% data variables.product.prodname_code_scanning %} was unexpectedly applied need to run {% data variables.product.prodname_codeql %} analysis at intervals of less than 90 days, for example, once a month.
+
+   Even if the repository is not under active development, new vulnerabilities may be identified by updates to {% data variables.product.prodname_codeql %} analysis.
+
+1. Once the affected repositories all have {% data variables.product.prodname_codeql %} analysis running, you can reapply the {% data variables.product.prodname_security_configuration %}.
diff --git a/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md b/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md
@@ -1,3 +1,2 @@
 > [!NOTE]
-> To create a configuration that you can apply to a repository that uses advanced setup for {% data variables.product.prodname_codeql %}, choose "Enabled with advanced setup allowed". This setting enables default setup in repositories where advanced setup for {% data variables.product.prodname_codeql %} is not detected.
-> _Option available from {% data variables.product.prodname_ghe_server %} 3.19._
+> To create a configuration that you can apply to all repositories regardless of current {% data variables.product.prodname_code_scanning %} setup, choose "Enabled with advanced setup allowed". This setting enables default setup only in repositories where {% data variables.product.prodname_codeql %} analysis is not actively run. _Option available from {% data variables.product.prodname_ghe_server %} 3.19._
diff --git a/data/reusables/code-scanning/inactive-advanced-setup.md b/data/reusables/code-scanning/inactive-advanced-setup.md
@@ -0,0 +1,5 @@
+Advanced setup is considered **inactive** for a repository if the repository meets any of the following criteria:
+
+* The latest {% data variables.product.prodname_codeql %} analysis is more than 90 days old.
+* All {% data variables.product.prodname_codeql %} configurations have been deleted.
+* The workflow file has been deleted or disabled (exclusively for advanced setup run using actions).
