AI is accelerating software development and expanding the range of languages and frameworks used in modern repositories. Security teams are increasingly responsible for protecting code written across many ecosystems, not just the core enterprise languages traditionally covered by static analysis.
That’s why GitHub is introducing AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. These detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone. Public preview availability is planned for early Q2.
Expanding application security coverage with static analysis and AI
Static analysis remains an effective way to identify vulnerabilities in supported languages, which is why GitHub Code Security continues to rely on CodeQL for deep semantic analysis. But modern codebases often include scripts, infrastructure definitions, and application components built across many additional ecosystems.
To address this reality, GitHub Code Security extends coverage by pairing CodeQL with AI-powered security detections across additional languages and frameworks. This hybrid detection model helps surface vulnerabilities—and suggested fixes—directly to developers within the pull request workflow.
In internal testing, the system processed more than 170,000 findings over a 30-day period, with more than 80% positive developer feedback. Early results show strong coverage for ecosystems newly supported through AI-powered detections, including Shell/Bash, Dockerfiles, Terraform configurations (HCL), and PHP.
This capability sits within GitHub’s broader agentic detection platform, which powers security, code quality, and code review experiences across the developer workflow. What begins as expanded coverage establishes a foundation for evolving detections over time, pairing the precision of static analysis with deeper context and new vulnerability insights that emerge as development continues to accelerate.
Bringing expanded security coverage into pull requests
Pull requests are where developers already review and approve changes, making them the most effective place to surface security risks early. When a pull request is opened, GitHub Code Security automatically analyzes the changes using the most appropriate detection approach, whether that is static analysis powered by CodeQL or AI-powered security detections.
The results appear directly in the pull request alongside other code scanning findings, surfacing risks such as unsafe, string built SQL queries or commands, insecure cryptographic algorithms, and infrastructure configurations that expose sensitive resources.
By integrating security detections into the pull request workflow, GitHub helps teams catch and fix vulnerabilities earlier, without asking developers to leave the tools and processes they already use.
Turning expanded detection into review-ready fixes with Copilot Autofix
Identifying vulnerabilities early is only part of the challenge. Security teams must also ensure those issues are fixed quickly and safely.
GitHub Code Security connects detection to remediation with Copilot Autofix, which can suggest fixes that developers can review, test, and apply as part of the normal code review process.
Developers are already using Autofix at scale. It has fixed more than 460,000 security alerts in 2025, reaching resolution in 0.66 hours on average compared to 1.29 hours without Autofix.
Together, expanded detection and Copilot Autofix help teams move faster from finding risk to fixing it.
Enforce security outcomes at the point of merge
Because GitHub sits at the merge point of the development workflow, security teams can enforce outcomes where code is reviewed and approved, not after it ships. By bringing detection, remediation, and policy enforcement together in pull requests, GitHub helps teams reduce risk without slowing development.
At RSAC, GitHub will preview how AI-powered security detections expand application security coverage directly within pull requests. This demonstration reflects a broader direction: starting with expanded coverage today, and evolving toward deeper, AI-augmented static analysis as part of GitHub’s agentic detection platform. Visit GitHub at RSAC booth #2327 to see how hybrid detection, developer-native remediation, and platform governance work together to secure modern software development.
The post GitHub expands application security coverage with AI‑powered detections appeared first on The GitHub Blog.
CodeQL and AI‑powered detections work together in GitHub Code Security to identify vulnerabilities across more languages and frameworks.
The post GitHub expands application security coverage with AI‑powered detections appeared first on The GitHub Blog.
Social Plugin