Skip to content

GitHub adds AI security detections to pull requests beyond CodeQL

Original: Code scanning shows AI security detections on pull requests View original →

Read in other languages: 한국어日本語
AI Jul 15, 2026 By Insights AI 1 min read 1 views Source

GitHub is pushing more security signal into the pull request itself. The company said code scanning now surfaces AI-powered security detections on pull requests, extending vulnerability coverage into languages and frameworks that CodeQL does not currently support out of the box.

The practical change is where developers see the warning. Instead of treating AI security review as a separate pass after code is written, findings appear in the same pull request workflow where reviewers are already discussing the diff. GitHub says alerts generated by AI will be labeled AI, so teams can distinguish them from CodeQL results.

The feature runs automatically when a pull request is opened or updated. GitHub’s AI detection engine returns results as they are ready, so developers do not need to wait for every analysis source to finish before seeing possible issues. The findings are informational during this preview and do not block merges.

There are several adoption conditions. AI security detections must be allowed by enterprise policy, enabled at the organization level, and used on repositories with CodeQL default setup already turned on. GitHub says CodeQL is not the engine performing the AI analysis, but the AI detection engine relies on that setup to function.

Availability also matters. The public preview is live on github.com for customers with GitHub Code Security, formerly GitHub Advanced Security. During preview, the feature requires a GitHub Copilot license and consumes organizational AI credits when detections run. That makes it a notable expansion of AI-assisted application security, but not a free background scanner: teams will need to weigh broader language coverage against false-positive handling and AI credit spend.

Share: Long

Related Articles