GitHub adopts AI-based scanning for its Code Security tool to expand vulnerability detection beyond CodeQL static analysis and cover more languages and frameworks.
Moreover, the developer collaboration platform explains that the move aims to uncover security issues “in areas that are difficult to support with traditional static analysis alone.”
At the same time, CodeQL continues to deliver deep semantic analysis for supported languages, while AI detections extend broader coverage across Shell/Bash, Dockerfiles, Terraform, PHP, and other ecosystems.
Looking ahead, the new hybrid model is expected to enter public preview in early Q2 2026, possibly as soon as next month.
In addition, GitHub Code Security provides a suite of application security tools integrated directly into GitHub repositories and workflows.
Pricing and Availability
Currently, the platform offers free access (with limitations) for all public repositories. However, paying users unlock the full feature set for private and internal repositories through the GitHub Advanced Security (GHAS) add-on suite.
Specifically, the platform delivers:
- Code scanning to identify known vulnerabilities
- Dependency scanning to detect vulnerable open-source libraries
- Secrets scanning to uncover leaked credentials on public assets
- Security alerts enhanced with Copilot-powered remediation suggestions
Security Built Into Pull Requests
Importantly, the system operates at the pull request level, where the platform selects the appropriate tool (CodeQL or AI) for each case. As a result, it catches issues before developers merge potentially problematic code.
For example, when the system detects issues such as weak cryptography, misconfigurations, or insecure SQL, it presents them directly within the pull request.
Notably, GitHub’s internal testing processed over 170,000 findings in 30 days and achieved 80% positive developer feedback, indicating that developers validated most flagged issues.
Consequently, these results demonstrated “strong coverage” across target ecosystems that had not received sufficient scrutiny before.
Furthermore, GitHub emphasizes the value of Copilot Autofix, which suggests solutions for detected problems through GitHub Code Security.
According to 2025 data, across more than 460,000 security alerts, Autofix reduced resolution time to 0.66 hours on average, compared to 1.29 hours without it.
Ultimately, GitHub’s adoption of AI-powered vulnerability detection reflects a broader shift: security is becoming AI-augmented and increasingly embedded directly into the development workflow.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
