How do you enable Code Scanning with CodeQL for a repository on GitHub?

Code Scanning with CodeQL is activated by integrating a CodeQL analysis workflow into the repository so that the analysis runs automatically on each push and pull request and the results are uploaded back to GitHub. This automatic workflow is typically added through GitHub Actions (often via the built-in Security tab setup) and uses CodeQL to scan the codebase, producing SARIF results that are sent to GitHub. Once those SARIF results arrive, the Security tab can display code-scanning alerts for the repository. This approach is the standard way because it enables continuous, automated analysis and centralized reporting directly in GitHub. Uploading SARIF results manually would break the automated workflow and reduce visibility, while using a separate external analyzer or flipping a non-existent feature flag wouldn’t enable GitHub’s Code Scanning integration at all.