AI is accelerating software development and expanding the range of languages and frameworks used in modern repositories. Security teams are increasingly responsible for protecting code written across many ecosystems, not just core enterprise languages that have traditionally been subject to static analysis.
That’s why GitHub is introducing AI-powered security detections in GitHub Code Security to extend application security coverage across more languages and frameworks. These detections complement CodeQL by revealing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone. Public preview is expected to be available in early Q2.
Extend application security coverage with static analysis and AI
Static analysis continues to be an effective method for identifying vulnerabilities in supported languages. That’s why GitHub Code Security continues to rely on CodeQL for deep semantic analysis. However, modern codebases often include scripts, infrastructure definitions, and application components built across many additional ecosystems.
To address this reality, GitHub Code Security expands its reach by combining CodeQL and AI-powered security detection across additional languages and frameworks. This hybrid detection model helps reveal vulnerabilities and recommended fixes directly to developers within the pull request workflow.
In internal testing, the system processed over 170,000 results in 30 days and received over 80% positive feedback from developers. Initial results show strong coverage of newly supported ecosystems with AI-powered discovery, including Shell/Bash, Dockerfile, Terraform configuration (HCL), and PHP.
This feature resides within GitHub’s broader agent discovery platform and enhances security, code quality, and code review experiences across developer workflows. Starting as an expansion in coverage, the precision of static analysis, combined with deeper context and new vulnerability insights that emerge as development continues to accelerate, establishes a foundation for detection that evolves over time.
Incorporate expanded security coverage into pull requests
Pull requests are where developers have already reviewed and approved changes and are the most effective place to surface security risks early. When a pull request is opened, GitHub Code Security automatically analyzes the changes using the most appropriate detection approach, such as static analysis with CodeQL or security detection with AI.
The results appear directly in the pull request along with other code scanning results, exposing risks such as SQL queries and commands constructed with insecure strings, insecure cryptographic algorithms, and infrastructure configurations that expose sensitive resources.
By integrating security detection into pull request workflows, GitHub helps teams find and remediate vulnerabilities early without requiring developers to leave the tools and processes they already use.
Turn enhanced detections into reviewable fixes with Copilot Autofix
Identifying vulnerabilities early is only part of the challenge. Security teams must also ensure that these issues are resolved quickly and securely.
GitHub Code Security uses Copilot Autofix to connect detections to remediation. This allows developers to suggest fixes that can be reviewed, tested, and applied as part of the normal code review process.
Developers are already using Autofix at scale. In 2025, we remediated more than 460,000 security alerts, reaching resolution in an average of 0.66 hours, compared to 1.29 hours without auto-remediation.
By combining Enhanced Detection with Copilot Autofix, teams can move from finding to remediating risks faster.
Enforce security consequences at merge point
Because GitHub sits at the merge point of the development workflow, security teams can enforce consequences at the time the code is reviewed and approved, rather than after the code is shipped. GitHub enables teams to reduce risk without slowing development by organizing detection, remediation, and policy enforcement into pull requests.
At RSAC, we’ll preview how GitHub can extend the security coverage of your applications directly within pull requests with AI-powered security detections. This demonstration reflects a broader direction. Starting with expanded coverage today and evolving to deeper AI-enhanced static analysis as part of GitHub’s agent discovery platform. Visit GitHub at RSAC booth #2327 See how hybrid detection, developer-native remediation, and platform governance work together to secure modern software development.
author
