Code scanning shows AI security detections on pull requests

nyku1 pts0 comments

Code scanning shows AI security detections on pull requests - GitHub Changelog

Try GitHub Copilot CLI

Attend GitHub Universe

Search

Back to changelog

GitHub code scanning now surfaces AI-powered security detections directly on pull requests, expanding vulnerability coverage to languages and frameworks not currently supported by CodeQL. These detections help teams identify and address potential issues in parts of the codebase that previously had no native scanning coverage, all before code is merged.

What’s included

Broader language coverage : AI-powered detections extend code scanning to languages and frameworks beyond those supported by CodeQL’s built-in analysis, reducing blind spots across your codebase.

Native pull request integration : Findings appear directly in pull requests, so developers can review and address issues as part of their existing workflow before merging code. Alerts generated using AI will be labeled with AI so you can easily distinguish them from CodeQL results.

Easy to enable : Once allowed at the enterprise level, you can enable AI security detections for any repository or organization that have GitHub code security and CodeQL default setup turned on.

How it works

AI security detections are powered by GitHub’s AI detection engine and automatically run when a pull request is opened or updated. Results appear as the engine returns them. There’s no need to wait for all analysis sources to complete. These findings are informational and won’t block pull request merges.

To use the feature, AI security detections must be allowed by your Enterprise policy and enabled at the organization level. Additionally, CodeQL default analysis must be enabled on the repository. While CodeQL is not the tool performing the AI analysis, the AI detection engine relies on it to function.

Availability

This feature is now in public preview on github.com for customers with GitHub Code Security (GitHub Advanced Security). It can be enabled for repositories or organizations that use CodeQL default setup, after being allowed by an enterprise owner at the enterprise level.

Billing

During public preview, AI security detections require a GitHub Copilot license and draw down your organization’s AI credits. Usage consumes AI credits only when detections run. Learn more about AI credits billing.

To learn more, check out our GitHub Code Scanning documentation. Join the discussion and leave feedback on the Code scanning shows AI security detections on PRs announcement in the GitHub Community.

Related Posts

Jul.15 Improvement

Improvements to secret scanning and public monitoring

application security

Jul.14 Improvement

Security reviews now available in the GitHub Copilot app

application security<br>copilot

...<br>+1

Jul.13 Release

Manage secret scanning custom patterns via REST API

application security

Jul.13 Release

GitHub Code Quality license estimate in public preview

account management<br>application security

...<br>+1

Jul.10 Improvement

CodeQL 2.26.0 adds Kotlin 2.4.0 support and AI prompt injection detection

application security

Jul.10 Improvement

Clearer names for secret scanning detector types

application security

Jul.10 Release

Agentic autofix for code scanning alerts in public preview

application security<br>copilot

...<br>+1

Jul.09 Release

Organization-level targeting for GitHub Code Quality

application security<br>enterprise management tools<br>platform governance

...<br>+2

Jul.07 Release

Secret scanning extended metadata and multipart validation

application security

Subscribe to our developer newsletter

Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.

Enter your email*

Subscribe

By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.

Back to top

&copy; 2026 GitHub, Inc.

Terms

Privacy

Manage Cookies

Do not share my personal information

LinkedIn icon

GitHub on LinkedIn

Instagram icon

GitHub on Instagram

YouTube icon

GitHub on YouTube

X icon

GitHub on X

TikTok icon

GitHub on TikTok

Twitch icon

GitHub on Twitch

GitHub icon

GitHub’s organization on GitHub

github security code scanning detections application

Related Articles