GitHub is introducing AI-powered security detections in GitHub Code Security to expand vulnerability coverage beyond what CodeQL's static analysis supports alone. The new hybrid detection model adds coverage for Shell/Bash, Dockerfiles, Terraform (HCL), and PHP, surfacing findings directly in pull requests. In internal testing, the system processed over 170,000 findings in 30 days with 80%+ positive developer feedback. Copilot Autofix complements detection by suggesting fixes, having resolved over 460,000 security alerts in 2025 with an average resolution time of 0.66 hours. Public preview is planned for early Q2, with a live demonstration at RSAC.
Table of contents
Expanding application security coverage with static analysis and AIBringing expanded security coverage into pull requestsTurning expanded detection into review-ready fixes with Copilot AutofixEnforce security outcomes at the point of mergeTags:Written bySort: