Enable scans and notifications by default

[mcandre]

Please enable CodeQL SAST scans and notifications by default on all GitHub repositories, like Dependabot. There are millions of projects with vulnerabilities that the owners and downstream users are unaware of. Let's try harder to keep the Internet safe.

[turbo]

Hi Andrew,

Thank you for your question. It is indeed a request we often get, and something we're definitely interested in long-term, but don't have any immediate plans for. The main reason is that we want developers to have the best experience possible, and there are several things we're actively addressing that can potentially enable an opt-out configuration in the future, but we're not quite there yet. Some of those include: setup (and build configuration where needed), alert level configuration (Default vs. Extended), and performance (both in terms of waiting time at the PR and investment in Actions for GitHub).

Should we decide to implement this at some point in the future, there will be a corresponding item on our public roadmap some time before it is implemented.