GitHub is adopting AI-based scanning in its Code Security tool to complement CodeQL and expand vulnerability detection across additional languages and frameworks. The hybrid model keeps CodeQL for deep semantic analysis while using AI to cover Shell/Bash, Dockerfiles, Terraform, PHP and more, with public preview expected in early Q2 2026 and findings integrated into pull requests alongside Copilot Autofix suggestions. #GitHub #CodeQL
Keypoints
- GitHub is adding AI-based detections to Code Security to supplement CodeQL.
- AI detections will broaden coverage for Shell/Bash, Dockerfiles, Terraform, PHP, and other ecosystems.
- The hybrid system chooses CodeQL or AI at the pull-request level to catch issues before merging.
- Internal tests processed over 170,000 findings in 30 days with 80% positive developer feedback.
- Copilot Autofix reduced average remediation time to 0.66 hours versus 1.29 hours without Autofix.