GitHub introduces AI-powered security detections to complement CodeQL, expanding vulnerability coverage across more languages and frameworks while integrating fixes directly into pull requests.
GitHub is expanding its application security coverage by introducing AI-powered security detections in GitHub Code Security, complementing its existing CodeQL static analysis capabilities. This hybrid approach aims to address the growing complexity of modern codebases that span multiple languages and frameworks beyond traditional enterprise ecosystems.
Why Traditional Static Analysis Falls Short
Static analysis remains highly effective for identifying vulnerabilities in supported languages, which is why GitHub Code Security continues to rely on CodeQL for deep semantic analysis. However, modern development increasingly involves scripts, infrastructure definitions, and application components built across diverse ecosystems that traditional static analysis struggles to cover comprehensively.
The challenge is particularly acute as AI accelerates software development and expands the range of languages and frameworks used in modern repositories. Security teams find themselves responsible for protecting code written across many ecosystems, not just the core enterprise languages traditionally covered by static analysis tools.
How AI-Powered Detections Work
GitHub's solution pairs CodeQL with AI-powered security detections across additional languages and frameworks. This hybrid detection model helps surface vulnerabilities—and suggested fixes—directly to developers within the pull request workflow. The system processes findings using the most appropriate detection approach for each change, whether that's static analysis powered by CodeQL or AI-powered security detections.
Early results show strong coverage for ecosystems newly supported through AI-powered detections, including:
- Shell/Bash scripts
- Dockerfiles
- Terraform configurations (HCL)
- PHP applications
In internal testing, the system processed more than 170,000 findings over a 30-day period, with more than 80% positive developer feedback. This capability sits within GitHub's broader agentic detection platform, which powers security, code quality, and code review experiences across the developer workflow.
Integration into the Developer Workflow
Pull requests represent the optimal point for security intervention since developers already review and approve changes there. When a pull request is opened, GitHub Code Security automatically analyzes the changes and surfaces results directly in the pull request alongside other code scanning findings.
The system can identify various security risks, including:
- Unsafe, string-built SQL queries or commands
- Insecure cryptographic algorithms
- Infrastructure configurations that expose sensitive resources
By integrating security detections into the pull request workflow, GitHub helps teams catch and fix vulnerabilities earlier without requiring developers to leave their existing tools and processes.
From Detection to Remediation with Copilot Autofix
Identifying vulnerabilities early addresses only part of the security challenge. Teams must also ensure those issues are fixed quickly and safely. GitHub Code Security connects detection to remediation with Copilot Autofix, which suggests fixes that developers can review, test, and apply as part of the normal code review process.
Developers are already using Autofix at scale. It has fixed more than 460,000 security alerts in 2025, reaching resolution in 0.66 hours on average compared to 1.29 hours without Autofix. This represents a significant acceleration in the vulnerability remediation lifecycle.
Platform-Level Security Enforcement
Because GitHub sits at the merge point of the development workflow, security teams can enforce outcomes where code is reviewed and approved, not after it ships. By bringing detection, remediation, and policy enforcement together in pull requests, GitHub helps teams reduce risk without slowing development.
This approach reflects a broader direction: starting with expanded coverage today, and evolving toward deeper, AI-augmented static analysis as part of GitHub's agentic detection platform. The foundation established by these AI-powered detections will enable more sophisticated vulnerability insights as development continues to accelerate.
What's Next
Public preview availability for AI-powered security detections is planned for early Q2. GitHub will demonstrate this capability at RSAC booth #2327, showcasing how hybrid detection, developer-native remediation, and platform governance work together to secure modern software development.
The expansion represents GitHub's response to the reality that modern codebases often include components built across many additional ecosystems beyond traditional enterprise languages. By complementing CodeQL's precision with AI-powered detections' broader coverage, GitHub aims to provide comprehensive security coverage that keeps pace with the accelerating velocity of software development.
Comments
Please log in or register to join the discussion