Catch AI-era vulnerabilities before merge with GitHub code scanning and Copilot security review
GitHub now surfaces AI-powered code scanning detections on pull requests and added an on-demand /security-review command in the Copilot app, giving teams two new preview paths to catch security issues before code lands.
Confirmed: GitHub shipped two security-focused AI updates on July 14, 2026. Code scanning can now show AI-powered detections directly on pull requests, and the GitHub Copilot app added a /security-review command for in-flight code changes. Both are public preview features, so teams should check licensing, policy controls, and billing before routing production review workflows through them.

What changed
GitHub code scanning now surfaces AI-powered security detections on pull requests. GitHub says the feature is meant to expand coverage to languages and frameworks that CodeQL does not currently cover, with AI-labeled findings appearing inside the existing pull request review flow.
GitHub also added /security-review to the Copilot app. The command scans current workstream changes and returns severity-scored findings, confidence signals, and suggested fixes without requiring developers to leave the Copilot app.
Key takeaways
- AI security detections appear directly on pull requests and are labeled as AI-generated findings.
- The feature requires GitHub Code Security or GitHub Advanced Security, CodeQL default setup, and enterprise or organization enablement.
- AI detections are informational during public preview and do not block merges.
/security-reviewis available in public preview to Copilot Free, Pro, Business, and Enterprise users.- Billing matters: AI security detections require a Copilot license and consume organization AI credits when detections run.
Availability and access
| Feature | Best fit | Access | Cost/status | Caveat |
|---|---|---|---|---|
| AI-powered code scanning detections | Pull request security checks across broader languages and frameworks | GitHub Code Security or Advanced Security with CodeQL default setup | Public preview; consumes Copilot AI credits | Findings are informational and need policy enablement |
Copilot app /security-review | On-demand review of local or in-flight changes | Copilot Free, Pro, Business, and Enterprise during preview | Public preview | Output should complement, not replace, normal review and scanning |
| Agentic autofix context | Fixing existing code scanning alerts | Code Security or Advanced Security plus Copilot cloud agent | Public preview; consumes AI credits and Actions minutes | Separate workflow from detection; still needs human review |
Why it matters
Security review is moving closer to the point where AI-generated and AI-edited code enters a pull request. For teams already using Copilot, the practical change is not a new dashboard. It is earlier triage: developers can see AI-labeled security findings in PRs and run a focused review command before the branch is ready for human review.
The useful workflow is simple: keep deterministic CodeQL checks enabled, let AI detections widen coverage where CodeQL is thin, and use /security-review for risky changes before requesting review. Teams tracking agent-heavy development should also bookmark LinkLoot's AI agent tools guide to compare review, coding, and automation tools without mixing them into one security control.
What to verify before you act
- Confirm that GitHub Code Security or GitHub Advanced Security is active for the target repositories.
- Check whether an enterprise owner has allowed AI security detections and whether the organization has enabled them.
- Review Copilot AI credit budgets before enabling broad pull request coverage.
- Treat preview findings as triage signals until your team has measured false positives and missed issues on real repositories.
- Keep branch protection, required reviews, secret scanning, Dependabot, and CodeQL in place.
Source check
Confirmed by: GitHub's July 14 changelog says AI-powered code scanning detections now appear on pull requests, require CodeQL default setup, are informational in public preview, and consume Copilot AI credits. GitHub's second July 14 changelog says /security-review is now available in the Copilot app public preview.
Independent context: PatchBot indexed the GitHub Copilot /security-review rollout on July 14, 2026 and linked back to the GitHub source feed. LinkLoot treats future GA availability, billing changes, and blocking-policy support as update triggers.
No. GitHub describes the pull request AI security detections as a public preview on github.com.
