GitHub just made it much harder to ship a vulnerable pull request
GitHub is expanding its application security capabilities with AI-powered security detections designed to identify risks earlier in the development process, with public preview planned for early Q2.
The update is intended to improve code scanning, secret detection, and dependency analysis within repositories hosted on the platform.
The company said the new detections are designed to complement its existing CodeQL engine, which remains in use for semantic analysis of supported languages.
Static analysis continues to play a central role in identifying vulnerabilities, though current codebases often include scripts, infrastructure definitions, and components built in a wider range of ecosystems.
“To address this reality, GitHub Code Security extends coverage by pairing CodeQL with AI-powered security detections across additional languages and frameworks. This hybrid detection model helps surface vulnerabilities and suggested fixes directly to developers within the pull request workflow,” Marcelo Oliveira, VP of Product Management at GitHub, said.
In internal testing, the platform processed more than 170,000 findings over a 30-day period and received more than 80% positive developer feedback. Early results show expanded coverage for ecosystems including Shell and Bash, Dockerfiles, Terraform configurations, and PHP.
GitHub is placing security checks directly in pull requests, where developers review code changes. When a pull request is opened, GitHub Code Security analyzes the update using either CodeQL-based static analysis or AI-driven detections, depending on the context.
Findings appear alongside existing code review signals and flag issues such as unsafe SQL queries, weak cryptographic use, or misconfigured infrastructure. The approach is designed to surface risks earlier in the development cycle without requiring changes to existing workflows.
GitHub is also linking detection to remediation through Copilot Autofix, which suggests fixes that can be reviewed and applied during the same code review process.
“Because GitHub sits at the merge point of the development workflow, security teams can enforce outcomes where code is reviewed and approved, not after it ships,” concluded Oliveira.