AI will accelerate error detection in projects on GitHub

GitHub launches AI code scanning in Code Security

*GitHub announced the introduction of a new source code scanning feature using artificial intelligence (AI) in its Code Security service.*

This technology will enable detection of vulnerabilities that traditional static analysis with CodeQL cannot uncover, and it will broaden coverage to more languages and frameworks.

What’s new?
Item Description Purpose
Detect security issues where standard CodeQL falls short. Supported ecosystems: Shell/Bash, Dockerfiles, Terraform, PHP, and other languages/frameworks. Working mode: Hybrid model that switches between CodeQL and the AI scanner as needed.
Public testing of the hybrid model is planned for early Q2 2026.

Integration into workflows
* Native integration – tools run directly inside GitHub repositories and CI/CD pipelines.
* Availability – free for public projects (with limits). Paid subscribers receive the full package through GitHub Advanced Security (GHAS).

What does the new scanner check?
1. Code for known vulnerabilities.
2. Dependencies and open libraries – searching for vulnerable packages.
3. Credential leaks in public resources.
4. Alerts with recommendations from the AI assistant Copilot.

Scanning occurs at pull request (PR) level. When a PR is opened, the system automatically selects the appropriate tool—CodeQL or the AI scanner—to detect threats before potentially problematic code is merged. Alerts appear directly in the PR window.

Internal testing results
* Processed: over 170,000 incidents in 30 days.
* Developer feedback: 80% positive, confirming the usefulness of identified issues.

Copilot Autofix – quick fixes
GitHub also highlighted Copilot Autofix’s role in automatically fixing discovered vulnerabilities.

Metric Value
Processed more than 460,000 security alerts in 2025. Average resolution time 0.66 hours with Autofix; without it—1.29 hours.

Conclusion
With AI scanning, GitHub expands Code Security coverage, enabling detection and rapid remediation of vulnerabilities across a broader range of technologies. This strengthens repository protection for both free public projects and paid GHAS customers.