Find security issues in real time with CodeQL’s powerful analysis that traces data flows throughout your application.
GitHub Code Security
Application security where found means fixed
Secure your code as you build with GitHub Code Security. Detect vulnerabilities early and fix them with Copilot Autofix.
28 min From vulnerability detection to remediation
3X Faster remediation on average with Copilot Autofix
90% Of alert types include AI-powered code suggestions
Detect and remediate vulnerabilities
early with AI-powered fixes
Remediate at scale
Get contextual explanations and AI-powered fixes for CodeQL-detected alerts with Copilot Autofix.
Reduce security debt
GitHub Code Security continuously scans your code as you build, helping detect vulnerabilities early, fix them fast with Copilot Autofix, and ship securely.
Catch risks early
Identify new dependencies and check for vulnerabilities or license issues with the Dependency Review Action.
Copilot Autofix streamlines security by flagging vulnerabilities and suggesting fixes instantly, keeping code secure while freeing teams for strategic work.”
Build secure software from day one
Security should be built in, not bolted on. With Code Security, you can find, fix, and prevent vulnerabilities seamlessly—keeping your software resilient from development to deployment.
Best practices for more secure software
FAQs
What is Code Security?
GitHub Code Security empowers developers to secure their code without sacrificing speed. With built-in static analysis, AI-powered remediation, advanced dependency scanning, and proactive vulnerability management, teams can automatically detect, prioritize, and remediate security issues, all within their existing GitHub workflow—allowing them to deliver secure software faster and with greater confidence
What is Copilot Autofix?
Copilot Autofix uses AI-powered code suggestions to automatically fix security vulnerabilities identified by CodeQL. When a security vulnerability is detected, Copilot Autofix analyzes the code context, understands the underlying security issue, and generates a precise, contextually appropriate fix. This feature bridges the gap between vulnerability detection and remediation, enabling developers to review and apply AI-suggested fixes directly within their workflow.
What are Security Campaigns?
Security campaigns provide a structured framework for planning, tracking, and implementing security fixes across multiple repositories and teams allowing you to systematically burn down security debt. With With security campaigns, security teams can group related vulnerabilities, prioritize remediation efforts, assign ownership, and monitor progress through a unified dashboard. Security campaigns can be organized by vulnerability type, security initiative, compliance requirement, or any other logical grouping to coordinate security improvements at scale.
What is dependency analysis?
Dependency review scans pull requests for vulnerable dependencies before they're introduced into your codebase. It evaluates the security impact of dependency changes, identifying vulnerable packages and their severity levels to prevent security issues from being merged. The tool shows detailed dependency changes by comparing the base and head branches, highlighting added, removed, and updated dependencies along with their known vulnerabilities
What is EPSS?
Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping better assess vulnerability risks. EPSS helps organizations prioritize vulnerability remediation by predicting the likelihood of a vulnerability being exploited in the next 30 days. It provides a score ranging from 0 to 1 (0-100%), alongside a percentile ranking to indicate how the vulnerability compares to others.