GitHub Code Security · GitHub

archived 13 Jan 2026 05:32:07 UTC
Skip to content

Navigation Menu
Sign up
GitHub Code Security

Application security where found means fixed

Secure your code as you build with GitHub Code Security. Detect vulnerabilities early and fix them with Copilot Autofix.
What is GitHub code security?
What is GitHub code security?
28 min From vulnerability detection to remediation
3X Faster remediation on average with Copilot Autofix
90% Of alert types include AI-powered code suggestions

Detect and remediate vulnerabilities
early with AI-powered fixes

Automate security checks

Find security issues in real time with CodeQL’s powerful analysis that traces data flows throughout your application.
The image displays a code snippet from a JavaScript file named "collection.js" located in the "routes" directory. The code is highlighted in three steps, with Step 1 being the focus. In Step 1, the variable "jsonQuery" is assigned the value of "req.query.query". The code snippet includes four lines where variables are defined and assigned values from the request query object. The background has a gradient blue color.

Remediate at scale

Get contextual explanations and AI-powered fixes for CodeQL-detected alerts with Copilot Autofix.
The image displays a code snippet from a JavaScript file named "collection.js" located in the "routes" directory. The code is highlighted in three steps, with Step 1 being the focus. In Step 1, the variable "jsonQuery" is assigned the value of "req.query.query". The code snippet includes four lines where variables are defined and assigned values from the request query object. The background has a gradient blue color.

Reduce security debt

GitHub Code Security continuously scans your code as you build, helping detect vulnerabilities early, fix them fast with Copilot Autofix, and ship securely.
The image displays a dashboard for an SQL injection (CWE-89) campaign aimed at remediating Cross-Site Scripting (XSS) vulnerabilities. The dashboard has three main sections: Campaign progress, Status, and Copilot Autofix. In the Campaign progress section, it shows 97% completion with 701 alerts, where 701 are closed and 13 are in progress. It also notes that the campaign started 20 days ago. The Status section indicates there are 7 days left until the deadline on November 15, 2024. The Copilot Autofix section mentions that there are 670 supported alerts and provides information about how Copilot Autofix can help fix these alerts automatically.

Catch risks early

Identify new dependencies and check for vulnerabilities or license issues with the Dependency Review Action.
The image shows a "Dependency Review" report generated by the GitHub Actions bot. The report lists the following issues: 0 vulnerable packages, 1 package with incompatible licenses, and 0 packages with unknown licenses. Each issue has a "Details" link next to it for more information.
Copilot Autofix streamlines security by flagging vulnerabilities and suggesting fixes instantly, keeping code secure while freeing teams for strategic work.”
otto group logo
Mario Landgrafcommunity manager of security at Otto GmbH & Co. KGaA

Build secure software from day one

Security should be built in, not bolted on. With Code Security, you can find, fix, and prevent vulnerabilities seamlessly—keeping your software resilient from development to deployment.
Request a demoSee plans & pricing

Best practices for more secure software

Discover developer-first security

Take an in-depth look at the current state of application security.

View the webinar

Explore the DevSecOps guide

Learn how to write more secure code from the start with DevSecOps.
Read the whitepaper

Avoid AppSec pitfalls

Explore common application security pitfalls and how to avoid them.

Read the whitepaper

FAQs

What is Code Security?

GitHub Code Security empowers developers to secure their code without sacrificing speed. With built-in static analysis, AI-powered remediation, advanced dependency scanning, and proactive vulnerability management, teams can automatically detect, prioritize, and remediate security issues, all within their existing GitHub workflow—allowing them to deliver secure software faster and with greater confidence

What is Copilot Autofix?

Copilot Autofix uses AI-powered code suggestions to automatically fix security vulnerabilities identified by CodeQL. When a security vulnerability is detected, Copilot Autofix analyzes the code context, understands the underlying security issue, and generates a precise, contextually appropriate fix. This feature bridges the gap between vulnerability detection and remediation, enabling developers to review and apply AI-suggested fixes directly within their workflow.

What are Security Campaigns?

Security campaigns provide a structured framework for planning, tracking, and implementing security fixes across multiple repositories and teams allowing you to systematically burn down security debt. With With security campaigns, security teams can group related vulnerabilities, prioritize remediation efforts, assign ownership, and monitor progress through a unified dashboard. Security campaigns can be organized by vulnerability type, security initiative, compliance requirement, or any other logical grouping to coordinate security improvements at scale.

What is dependency analysis?

Dependency review scans pull requests for vulnerable dependencies before they're introduced into your codebase. It evaluates the security impact of dependency changes, identifying vulnerable packages and their severity levels to prevent security issues from being merged. The tool shows detailed dependency changes by comparing the base and head branches, highlighting added, removed, and updated dependencies along with their known vulnerabilities

What is EPSS?

Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping better assess vulnerability risks. EPSS helps organizations prioritize vulnerability remediation by predicting the likelihood of a vulnerability being exploited in the next 30 days. It provides a score ranging from 0 to 1 (0-100%), alongside a percentile ranking to indicate how the vulnerability compares to others.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%