GoKawiilGitHub is adopting AI-based scanning for its Code Security tool to expand vulnerability detections beyond the CodeQL static analysis and cover more languages and frameworks.
The developer collaboration platform says that the move is meant to uncover security issues "in areas that are difficult to support with traditional static analysis alone."
CodeQL will continue to provide deep semantic analysis for supported languages, while AI detections will provide broader coverage for Shell/Bash, Dockerfiles, Terraform, PHP, and other ecosystems.
The new hybrid model is expected to enter public preview in early Q2 2026, possibly as soon as next month.
Finding bugs before they bite
GitHub Code Security is a set of application security tools integrated directly into GitHub repositories and workflows.
It is available for free (with limitations) for all public repositories. However, paying users can access the full set of features for private/internal repositories as part of the GitHub Advanced Security (GHAS) add-on suite.
It offers code scanning for known vulnerabilities, dependency scanning to pinpoint vulnerable open-source libraries, secrets scanning to uncover leaked credentials on public assets, and provides security alerts with Copilot-powered remediation suggestions.
The security tools operate at the pull request level, with the platform selecting the appropriate tool (CodeQL or AI) for each case, so any issues are caught before merging the potentially problematic code.
If any issues, such as weak cryptography, misconfigurations, or insecure SQL, are detected, those are presented directly in the pull request.
... continue reading