Skip to content

Commit cb5d694

Browse files
sophiethekingCopilotCopilothubwriterhharen
authored
Code scanning shows AI security detections on PRs [public preview] (#60689)
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Hana Harencarova <hharen@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 4efb676 commit cb5d694

8 files changed

Lines changed: 125 additions & 3 deletions

File tree

content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,3 +120,20 @@ Across all of your enterprise's organizations, you can allow or disallow people
120120
> This policy controls the use of {% data variables.copilot.copilot_autofix_short %} on results found by {% data variables.product.prodname_code_scanning %} security queries only. {% data variables.copilot.copilot_autofix_short %} is an integral part of {% data variables.product.prodname_code_quality %} and cannot be disabled for that feature.
121121
122122
{% endif %}
123+
124+
{% ifversion ai-powered-security-detections %}
125+
126+
## Enforcing a policy to manage the use of AI-powered security detections in your enterprise's repositories
127+
128+
As an enterprise owner, you can control whether organization and repository administrators can enable AI-powered security detections for their organizations and repositories. This policy is set to "Not allowed" by default.
129+
130+
Allowing AI-powered security detections at the enterprise level does not enable the feature. Organization administrators must still explicitly enable AI-powered security detections. Repository administrators can opt-out of the feature.
131+
132+
This policy only takes effect if {% data variables.product.prodname_codeql %} default setup is enabled.
133+
134+
{% data reusables.enterprise-accounts.access-enterprise %}
135+
{% data reusables.enterprise-accounts.policies-tab %}
136+
{% data reusables.enterprise-accounts.code-security-and-analysis-policies %}
137+
1. Under "AI Findings", select the dropdown menu and click a policy.
138+
139+
{% endif %}
Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
---
2+
title: AI-powered security detections in pull requests
3+
shortTitle: AI-powered security detections
4+
allowTitleToDifferFromFilename: true
5+
intro: 'AI-powered security detections use an AI-based scanning engine to find security vulnerabilities in pull requests for languages and frameworks not covered by {% data variables.product.prodname_codeql %}.'
6+
versions:
7+
feature: ai-powered-security-detections
8+
contentType: concepts
9+
category:
10+
- Find and fix code vulnerabilities
11+
---
12+
13+
> [!NOTE]
14+
> AI-powered security detections are currently in {% data variables.release-phases.public_preview %} and subject to change.
15+
16+
AI-powered security detections are additional security findings produced by an AI-based scanning engine that runs on pull requests and complements {% data variables.product.prodname_codeql %}. Unlike {% data variables.product.prodname_codeql %} alerts, AI-powered findings are only available on pull requests and do not appear as backlog alerts in the repository's security view.
17+
18+
While {% data variables.product.prodname_codeql %} provides high-precision static analysis for a specific set of supported languages and queries, many repositories use languages and frameworks that {% data variables.product.prodname_codeql %} does not cover. AI-powered detections expand {% data variables.product.prodname_code_scanning %} coverage into these areas, helping you find vulnerabilities without adding new tools or configuration.
19+
20+
During the {% data variables.release-phases.public_preview %}, AI-powered security detections require a {% data variables.product.prodname_GHAS %} license and a {% data variables.product.prodname_copilot %} license.
21+
22+
Usage consumes {% data variables.product.prodname_ai_credits_short %}. See [AUTOTITLE](/copilot/concepts/billing/usage-based-billing-for-organizations-and-enterprises).
23+
24+
## How AI-powered security detections work
25+
26+
AI-powered security detections run automatically on pull requests in repositories where {% data variables.product.prodname_codeql %} default setup is enabled and AI-powered detections have been opted into. The AI-based scan is triggered on pull request creation and after each new commit, the same as {% data variables.product.prodname_codeql %}.
27+
28+
AI-powered findings are advisory and do not block pull request merges. They provide signals about where code security can be improved without interrupting your workflow.
29+
30+
The AI scanning engine works directly with the code in the pull request and does not require a build system. It uses tools such as code search to gather additional context from the repository when deciding whether to flag an issue. It uses its own specialized prompts and does not use custom instruction files such as `/.github/copilot-instructions.md` or `/CLAUDE.md`.
31+
32+
The AI scan runs independently of {% data variables.product.prodname_codeql %}'s status. If {% data variables.product.prodname_codeql %} default setup fails or is in a waiting state, AI-powered detections will still run.
33+
34+
Results are posted to the pull request as they are found. If the {% data variables.product.prodname_codeql %} scan takes longer to complete, you may see AI-powered findings before {% data variables.product.prodname_codeql %} results appear, or vice versa.
35+
36+
## How findings appear on pull requests
37+
38+
AI-powered findings appear alongside {% data variables.product.prodname_codeql %} alerts on the **Conversation** and **Files changed** tabs of a pull request. Each AI-powered finding is labeled with an "AI" indicator so you can distinguish it from {% data variables.product.prodname_codeql %} alerts.
39+
40+
Each finding includes a description of the security issue and an explanation of the risk. Most findings also include a suggested remediation, but not every finding has one. Where a suggested remediation is available, {% data variables.copilot.copilot_autofix_short %} is included and provides a recommended code change to fix the issue, the same way it does for {% data variables.product.prodname_codeql %} alerts. Findings also include a thumbs up/down feedback mechanism that helps improve detection quality over time.
41+
42+
## Limitations
43+
44+
* AI-powered security detections analyze pull requests only. Full repository scans are not supported.
45+
* AI-powered findings cannot yet be used in rulesets to enforce merge requirements
46+
* Detection categories and supported languages may change as the feature evolves.
47+
* As with any AI-based tool, findings may include false positives. Use the feedback mechanism to report inaccurate results.
48+
49+
## Supported languages
50+
51+
AI-powered security detections are designed to cover languages and frameworks that are not currently supported by {% data variables.product.prodname_codeql %}. This includes, but is not limited to, languages such as PHP, Shell/Bash, Terraform configuration (HCL), and Dockerfiles, as well as framework coverage gaps such as JSP for Java and Blazor for C#.
52+
53+
For a full list of languages supported by {% data variables.product.prodname_codeql %}, see [AUTOTITLE](/code-security/concepts/code-scanning/codeql/about-code-scanning-with-codeql#supported-languages-and-frameworks).
54+
55+
## Detection categories
56+
57+
AI-powered security detections currently cover the following categories. These categories describe how findings are classified. The AI scanner may evolve over time as models improve.
58+
59+
* **String injection** — Unsafe string-built SQL, HTML, shell, JSON, or YAML with missing or incorrect escaping or sanitization.
60+
* **Weak cryptography** — Weak algorithms, small keys, insecure randomness, missing encryption, or weak password hashing.
61+
* **Broken access control** — Path traversal, CSRF gaps, or user-driven open redirects.
62+
* **Sensitive data exposure** — Secrets, tokens, passwords, or stack traces stored, logged, or sent without adequate protection.
63+
* **Security misconfiguration** — Risky defaults or settings, such as disabling security controls or enabling debug features.
64+
* **Authentication failures** — Missing TLS or validation, insecure authentication flows, or missing rate limiting.
65+
* **Data integrity failures** — Unsafe deserialization, HTTP for sensitive actions, prototype pollution, or executing untrusted content.
66+
* **Server-side request forgery (SSRF)** — Server fetches attacker-controlled URLs, hosts, or protocols.
67+
* **Supply chain risks** — Unpinned third-party actions, packages, or images, or downloads without integrity checks.
68+
69+
## Enabling AI-powered security detections
70+
71+
AI-powered security detections are not allowed at the enterprise level by default and disabled at the organization and repository levels. Enterprise administrators must explicitly allow the feature before organizations can enable it. Organization administrators must explicitly opt in to the feature. Repository administrators can opt-out of the feature. Additionally, you need to have the {% data variables.product.prodname_codeql %} default setup enabled.
72+
73+
You do not need to select a model to enable AI-powered security detections.
74+
75+
* **Enterprise**: The **AI Findings** policy under "Code Security" controls whether organizations can enable the feature. See [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise#enforcing-a-policy-to-manage-the-use-of-ai-powered-security-detections-in-your-enterprises-repositories).
76+
* **Organization**: The **AI findings** setting under "Code scanning" enables AI-powered detections for repositories in the organization. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configuring-global-security-settings-for-your-organization#enabling-ai-powered-security-detections).
77+
* **Repository**: The **AI findings** toggle under "Code scanning" enables or disables AI-powered detections for the individual repository. Repositories inherit the organization setting but can opt out individually.

content/code-security/concepts/code-scanning/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ children:
1414
- /code-scanning-alerts
1515
- /risk-assessment
1616
- /copilot-autofix-for-code-scanning
17+
- /ai-powered-security-detections
1718
- /setup-types
1819
- /integration-with-code-scanning
1920
- /sarif-files

content/code-security/getting-started/github-security-features.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -203,6 +203,14 @@ Get automatically generated fixes for {% data variables.product.prodname_code_sc
203203

204204
{% endif %}
205205

206+
{% ifversion ai-powered-security-detections %}
207+
208+
### AI-powered security detections
209+
210+
Find vulnerabilities in languages and frameworks not covered by {% data variables.product.prodname_codeql %} with an AI-based scanning engine that runs during pull request review. See [AUTOTITLE](/code-security/concepts/code-scanning/ai-powered-security-detections).
211+
212+
{% endif %}
213+
206214
### {% data variables.dependabot.custom_rules_caps %} for {% data variables.product.prodname_dependabot %}
207215

208216
{% data reusables.dependabot.dependabot-custom-rules-ghas %}

content/code-security/getting-started/quickstart-for-securing-your-repository.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ You can configure {% data variables.product.prodname_code_scanning %} to automat
123123
1. If "{% data variables.product.prodname_code_security %}" or "{% data variables.product.prodname_GHAS %}" is not already enabled, click **Enable**.
124124
1. To the right of "CodeQL analysis", select **Set up** {% octicon "triangle-down" aria-hidden="true" aria-label="triangle-down" %}, then click **Default**.
125125
1. In the pop-up window that appears, review the default configuration settings for your repository, then click **Enable {% data variables.product.prodname_codeql %}**.{% ifversion code-scanning-autofix %}
126-
1. Choose whether you want to enable addition features, such as {% data variables.copilot.copilot_autofix_short %}.{% endif %}
126+
1. Choose whether you want to enable addition features, such as {% data variables.copilot.copilot_autofix_short %} or AI-powered security detections.{% endif %}
127127

128128
As an alternative to default setup, you can use advanced setup, which generates a workflow file you can edit to customize your {% data variables.product.prodname_code_scanning %} with {% data variables.product.prodname_codeql %}. For more information, see [AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql).
129129

content/code-security/how-tos/secure-at-scale/configure-organization-security/establish-complete-coverage/configure-global-settings.md

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,8 +102,13 @@ You can recommend that repositories in your organization use the "Extended" quer
102102

103103
You can customize several {% data variables.product.prodname_global_settings %} for {% data variables.product.prodname_code_scanning %}:
104104

105-
{% ifversion code-scanning-autofix %}* [Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %}](#enabling-copilot-autofix-for-codeql){% endif %}
106105
* [Recommending the extended query suite for default setup](#recommending-the-extended-query-suite-for-default-setup)
106+
{%- ifversion code-scanning-autofix %}
107+
* [Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %}](#enabling-copilot-autofix-for-codeql)
108+
{%- endif %}
109+
{%- ifversion ai-powered-security-detections %}
110+
* [Enabling AI-powered security detections](#enabling-ai-powered-security-detections)
111+
{%- endif %}
107112
* [Expanding {% data variables.product.prodname_codeql %} analysis](#expanding-codeql-analysis)
108113
{%- ifversion code-scanning-inactive-repos %}
109114
* [Continuing scans on inactive repositories](#continuing-scans-on-inactive-repositories)
@@ -123,6 +128,14 @@ You can select **{% data variables.copilot.copilot_autofix_short %}** to enable
123128

124129
{% endif %}
125130

131+
{% ifversion ai-powered-security-detections %}
132+
133+
### Enabling AI-powered security detections
134+
135+
You can select **AI-powered security detections** to enable AI-powered security detections for all repositories in your organization that use {% data variables.product.prodname_codeql %} default setup. See [AUTOTITLE](/code-security/concepts/code-scanning/ai-powered-security-detections).
136+
137+
{% endif %}
138+
126139
### Expanding {% data variables.product.prodname_codeql %} analysis
127140

128141
You can expand {% data variables.product.prodname_codeql %} analysis coverage for all repositories in your organization that use default setup by configuring {% data variables.product.prodname_codeql %} model packs. Model packs extend the {% data variables.product.prodname_codeql %} analysis to recognize additional frameworks and libraries that are not included in the standard {% data variables.product.prodname_codeql %} libraries. This global configuration applies to repositories using default setup and allows you to specify model packs published via the container registry. For more information, see [AUTOTITLE](/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization).

content/get-started/learning-about-github/about-github-advanced-security.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,9 @@ You get the following features with {% data variables.product.prodname_GH_code_s
3434

3535
* **{% data variables.product.prodname_codeql_cli %}**: Run {% data variables.product.prodname_codeql %} processes locally on software projects or to generate {% data variables.product.prodname_code_scanning %} results for upload to {% data variables.product.github %}.{% ifversion code-scanning-autofix %}
3636

37-
* **{% data variables.copilot.copilot_autofix_short %}**: Get automatically generated fixes for {% data variables.product.prodname_code_scanning %} alerts.{% endif %}{% ifversion security-campaigns %}
37+
* **{% data variables.copilot.copilot_autofix_short %}**: Get automatically generated fixes for {% data variables.product.prodname_code_scanning %} alerts.{% ifversion ai-powered-security-detections %}
38+
39+
* **AI-powered security detections**: Find vulnerabilities in languages and frameworks not covered by {% data variables.product.prodname_codeql %} with an AI-based scanning engine that runs during pull request review.{% endif %}{% endif %}{% ifversion security-campaigns %}
3840

3941
* **Security campaigns**: Reduce security debt at scale.{% endif %}
4042

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# Reference: #20824
2+
versions:
3+
ghec: '*'
4+
fpt: '*'

0 commit comments

Comments
 (0)