Code scanning shows AI security detections on pull requests - GitHub Changelog
Try GitHub Copilot CLI
Attend GitHub Universe
Search
Back to changelog
GitHub code scanning now surfaces AI-powered security detections directly on pull requests, expanding vulnerability coverage to languages and frameworks not currently supported by CodeQL. These detections help teams identify and address potential issues in parts of the codebase that previously had no native scanning coverage, all before code is merged.
What’s included
Broader language coverage : AI-powered detections extend code scanning to languages and frameworks beyond those supported by CodeQL’s built-in analysis, reducing blind spots across your codebase.
Native pull request integration : Findings appear directly in pull requests, so developers can review and address issues as part of their existing workflow before merging code. Alerts generated using AI will be labeled with AI so you can easily distinguish them from CodeQL results.
Easy to enable : Once allowed at the enterprise level, you can enable AI security detections for any repository or organization that have GitHub code security and CodeQL default setup turned on.
How it works
AI security detections are powered by GitHub’s AI detection engine and automatically run when a pull request is opened or updated. Results appear as the engine returns them. There’s no need to wait for all analysis sources to complete. These findings are informational and won’t block pull request merges.
To use the feature, AI security detections must be allowed by your Enterprise policy and enabled at the organization level. Additionally, CodeQL default analysis must be enabled on the repository. While CodeQL is not the tool performing the AI analysis, the AI detection engine relies on it to function.
Availability
This feature is now in public preview on github.com for customers with GitHub Code Security (GitHub Advanced Security). It can be enabled for repositories or organizations that use CodeQL default setup, after being allowed by an enterprise owner at the enterprise level.
Billing
During public preview, AI security detections require a GitHub Copilot license and draw down your organization’s AI credits. Usage consumes AI credits only when detections run. Learn more about AI credits billing.
To learn more, check out our GitHub Code Scanning documentation. Join the discussion and leave feedback on the Code scanning shows AI security detections on PRs announcement in the GitHub Community.
Related Posts
Jul.15 Improvement
Improvements to secret scanning and public monitoring
application security
Jul.14 Improvement
Security reviews now available in the GitHub Copilot app
application security<br>copilot
...<br>+1
Jul.13 Release
Manage secret scanning custom patterns via REST API
application security
Jul.13 Release
GitHub Code Quality license estimate in public preview
account management<br>application security
...<br>+1
Jul.10 Improvement
CodeQL 2.26.0 adds Kotlin 2.4.0 support and AI prompt injection detection
application security
Jul.10 Improvement
Clearer names for secret scanning detector types
application security
Jul.10 Release
Agentic autofix for code scanning alerts in public preview
application security<br>copilot
...<br>+1
Jul.09 Release
Organization-level targeting for GitHub Code Quality
application security<br>enterprise management tools<br>platform governance
...<br>+2
Jul.07 Release
Secret scanning extended metadata and multipart validation
application security
Subscribe to our developer newsletter
Discover tips, technical guides, and best practices in our biweekly newsletter just for devs.
Enter your email*
Subscribe
By submitting, I agree to let GitHub and its affiliates use my information for personalized communications, targeted advertising, and campaign effectiveness. See the GitHub Privacy Statement for more details.
Back to top
© 2026 GitHub, Inc.
Terms
Privacy
Manage Cookies
Do not share my personal information
LinkedIn icon
GitHub on LinkedIn
Instagram icon
GitHub on Instagram
YouTube icon
GitHub on YouTube
X icon
GitHub on X
TikTok icon
GitHub on TikTok
Twitch icon
GitHub on Twitch
GitHub icon
GitHub’s organization on GitHub