How can you enforce Code Scanning results before merging using branch protection?

The central idea is to gate merges with the security scanner’s result. Branch protection lets you require specific status checks to pass before a PR can be merged. Code Scanning runs as part of the CI process and reports its outcome on the pull request as a status check (often named Code scanning or similar). By making that specific Code Scanning status required, you ensure a PR cannot be merged until the scan completes and leaves a passing result. This directly enforces that any security findings surfaced by the scanner must be resolved before merging. Enabling all checks or disabling checks would either block merges for unrelated issues or remove automated verification entirely, and relying on human review alone neglects the automated security feedback that Code Scanning provides.