GitHub Brings AI-Powered Security Detection to Pull Requests
Key Takeaways
- ▸AI-powered security detections now surface directly on pull requests with broader language and framework coverage than CodeQL alone provides
- ▸AI-generated findings are clearly labeled to distinguish them from traditional static analysis, giving developers full transparency on detection sources
- ▸Feature requires GitHub Advanced Security and GitHub Copilot license; available in public preview with AI credit consumption
Summary
GitHub has announced the public preview of AI-powered security detections directly integrated into pull requests, significantly expanding code scanning coverage beyond what's traditionally supported by CodeQL. The new capability extends to languages and frameworks previously not covered, reducing blind spots in codebase analysis and enabling teams to catch potential vulnerabilities earlier in the development process.
The AI detection engine automatically runs when pull requests are opened or updated, surfacing security findings directly in the PR interface alongside traditional CodeQL results. Developers can review and address identified issues as part of their normal workflow before code is merged. Alerts generated by the AI engine are clearly labeled to distinguish them from CodeQL-based findings, maintaining transparency about the source of each detection.
The feature is now available in public preview for customers with GitHub Code Security (GitHub Advanced Security). It requires enterprise-level approval and organization-level enablement, working in conjunction with CodeQL default setup. During the preview phase, the feature requires a GitHub Copilot license and draws from the organization's AI credits only when detections run.



