Catch AI-era vulnerabilities before merge with GitHub code scanning and Copilot security review

GitHub source image for AI-powered code scanning detections on pull requests.GitHub Changelog
GitHub source image for AI-powered code scanning detections on pull requests.GitHub Changelog
Tools & Apps

GitHub now surfaces AI-powered code scanning detections on pull requests and added an on-demand /security-review command in the Copilot app, giving teams two new preview paths to catch security issues before code lands.

Confirmed: GitHub shipped two security-focused AI updates on July 14, 2026. Code scanning can now show AI-powered detections directly on pull requests, and the GitHub Copilot app added a /security-review command for in-flight code changes. Both are public preview features, so teams should check licensing, policy controls, and billing before routing production review workflows through them.

GitHub code scanning source image
Source image from GitHub Changelog.

What changed

GitHub code scanning now surfaces AI-powered security detections on pull requests. GitHub says the feature is meant to expand coverage to languages and frameworks that CodeQL does not currently cover, with AI-labeled findings appearing inside the existing pull request review flow.

GitHub also added /security-review to the Copilot app. The command scans current workstream changes and returns severity-scored findings, confidence signals, and suggested fixes without requiring developers to leave the Copilot app.

Key takeaways

  • AI security detections appear directly on pull requests and are labeled as AI-generated findings.
  • The feature requires GitHub Code Security or GitHub Advanced Security, CodeQL default setup, and enterprise or organization enablement.
  • AI detections are informational during public preview and do not block merges.
  • /security-review is available in public preview to Copilot Free, Pro, Business, and Enterprise users.
  • Billing matters: AI security detections require a Copilot license and consume organization AI credits when detections run.

Availability and access

FeatureBest fitAccessCost/statusCaveat
AI-powered code scanning detectionsPull request security checks across broader languages and frameworksGitHub Code Security or Advanced Security with CodeQL default setupPublic preview; consumes Copilot AI creditsFindings are informational and need policy enablement
Copilot app /security-reviewOn-demand review of local or in-flight changesCopilot Free, Pro, Business, and Enterprise during previewPublic previewOutput should complement, not replace, normal review and scanning
Agentic autofix contextFixing existing code scanning alertsCode Security or Advanced Security plus Copilot cloud agentPublic preview; consumes AI credits and Actions minutesSeparate workflow from detection; still needs human review

Why it matters

Security review is moving closer to the point where AI-generated and AI-edited code enters a pull request. For teams already using Copilot, the practical change is not a new dashboard. It is earlier triage: developers can see AI-labeled security findings in PRs and run a focused review command before the branch is ready for human review.

The useful workflow is simple: keep deterministic CodeQL checks enabled, let AI detections widen coverage where CodeQL is thin, and use /security-review for risky changes before requesting review. Teams tracking agent-heavy development should also bookmark LinkLoot's AI agent tools guide to compare review, coding, and automation tools without mixing them into one security control.

What to verify before you act

  • Confirm that GitHub Code Security or GitHub Advanced Security is active for the target repositories.
  • Check whether an enterprise owner has allowed AI security detections and whether the organization has enabled them.
  • Review Copilot AI credit budgets before enabling broad pull request coverage.
  • Treat preview findings as triage signals until your team has measured false positives and missed issues on real repositories.
  • Keep branch protection, required reviews, secret scanning, Dependabot, and CodeQL in place.

Source check

Confirmed by: GitHub's July 14 changelog says AI-powered code scanning detections now appear on pull requests, require CodeQL default setup, are informational in public preview, and consume Copilot AI credits. GitHub's second July 14 changelog says /security-review is now available in the Copilot app public preview.

Independent context: PatchBot indexed the GitHub Copilot /security-review rollout on July 14, 2026 and linked back to the GitHub source feed. LinkLoot treats future GA availability, billing changes, and blocking-policy support as update triggers.

FAQ

No. GitHub describes the pull request AI security detections as a public preview on github.com.