Learn how we are using the newly released GitHub Security Lab Taskflow Agent to triage categories of vulnerabilities.

The GitHub Blog provides updates, announcements, and insights from the world's leading software development platform, covering topics such as new features, community highlights, and industry trends. Developers can learn about GitHub's latest developments, best practices for collaboration, and tips for maximizing productivity on the platform.

GitHub Blog

GitHub Security Lab developed an AI-powered framework called Taskflow Agent to automate vulnerability triage from code scanning alerts. By breaking down triage into structured YAML-defined tasks, LLMs identify patterns that traditional static analysis tools miss, such as custom authentication checks and sanitization logic. The system uses a multi-stage approach: information gathering, auditing for false positives, report generation, and validation. Since August, this approach has discovered approximately 30 real vulnerabilities in open source repositories by triaging CodeQL alerts for GitHub Actions and JavaScript XSS issues. The framework stores intermediate results in a database, delegates programmatic tasks to MCP servers, and creates GitHub Issues for human review, allowing researchers to incorporate repo-specific knowledge and improve accuracy over time.

AI-supported vulnerability triage with the GitHub Security Lab Taskflow Agent

Triaging taskflows from a code scanning alert to a report