CodeQL code scanning can analyze Java and C# codebases without needing a build (GA)

CodeQL code scanning can now analyze Java and C# code without having to observe a build. This makes it easier to roll out the security analysis on large numbers of repositories, especially when enabling and managing repositories with GHAS security configurations.

CodeQL is the analysis engine that powers GitHub code scanning. When analyzing source code, it is important that the analysis engine has detailed knowledge of all aspects of the codebase. Now, the analysis engine no longer depends on observing the build process for Java and C# code, resulting in higher setup success and adoption rates for CodeQL code scanning (Java and C#).

During the testing of this feature, we validated that the analysis results were as accurate as the previous methodology. This feature was previously in public beta earlier this year (Java, C#), when it became the new default analysis mode for new users of CodeQL code scanning for these languages. Some customers experienced time significant savings as some tasks that previously took weeks now are achievable in minutes.

CodeQL’s new zero-configuration analysis mechanisms for both Java and C# are available on GitHub.com. If you are setting up CodeQL code scanning for these repositories, you will benefit from this analysis mechanism by default. If you set up CodeQL code scanning for Java or C# before their respective public beta releases of this feature, your analysis will remain unchanged (but can be migrated by disabling the current configuration and re-enabling code scanning using default setup). This new functionality will also be released to our GitHub Enterprise Server (GHES) customers starting with version 3.14 for Java and 3.15 for C#.

Repositories that use code scanning advanced setup will continue to use whichever analysis mechanism is specified in the Actions workflow file. The template for new analysis configurations now uses the new analysis mechanism by specifying `build-mode: none`. The old analysis mechanisms remain available. Users of the CodeQL CLI can find more documentation here.

Learn more about GitHub code scanning. If you have any feedback about these new analysis mechanisms for Java and C#, please join the discussion here.

Custom models for GitHub Copilot are now available in Limited Public Beta for Copilot Enterprise. This new capability lets you fine-tune Copilot to better understand and align with your organization’s unique coding practices, improving the relevance and accuracy of code suggestions across your projects.

What are custom models?

Custom models are large language models (LLMs) that have been fine-tuned using your organization’s codebases. By training a model on your proprietary libraries, specialized languages, and internal coding patterns, Copilot delivers code suggestions that are more context-aware and tailored to your organization’s needs.

During this beta, you can create a custom model using your GitHub repositories. Optionally, you may also enable the collection of code snippets and telemetry from developers’ Copilot prompts and responses to further fine-tune the model. This process closely aligns Copilot’s suggestions with your coding practices, making them more relevant and accurate. As a result, your development teams will spend less time on code reviews, debugging, and manual code adjustments, ultimately boosting team productivity and ensuring more consistent code quality.

Custom-Model-Training-Config

Importantly, your data remains entirely yours. It is never used to train another customer’s model, and your custom model is kept private, ensuring full control, security, and privacy.

When to Use Custom Models

Custom models enable you to make Copilot’s suggestions more relevant to your specific needs, which can lead to higher acceptance rates of the code suggested by Copilot among your developers. Consider using custom models in the following scenarios:

  • Enhance Library and API Usage: When your organization relies heavily on custom libraries or APIs that aren’t well-represented in public datasets, a custom model can prioritize these in its suggestions, making it easier for your developers to follow internal standards.

  • Improve Support for Specialized Languages: If your team works with less common or proprietary languages, custom models can make Copilot much more effective. Fine-tuning helps Copilot understand these languages better, reducing friction and improving productivity.

  • Adapt to Evolving Codebases: As your codebase changes, you have full control over when and how often to retrain your custom model. By regularly retraining, you can ensure that Copilot keeps up with the latest coding patterns, so it continues to provide relevant and accurate suggestions.

How to Get Started

  1. Sign Up for the Beta:
    Sign up here to participate in the Limited Public Beta and make sure your organization is on the Copilot Enterprise plan.

  2. Prepare Your Repositories:
    Choose the repositories that best reflect your organization’s coding standards. Include those with proprietary libraries, specialized languages, or key internal frameworks to get the most out of fine-tuning. If your enterprise has multiple GitHub organizations, note that only one organization and its repositories can be used for training during this beta.

  3. Enable Telemetry Collection:
    To further customize your model, consider enabling the collection of code snippets and telemetry related to developers’ prompts and Copilot’s suggestions. This data will be securely collected and used for additional fine-tuning, improving the accuracy and relevance of Copilot’s output for your team. Your data will only be used to enhance your custom model and will not be shared with others. For more details about our data-handling practices, please visit the Trust & Security Center or review GitHub’s data protection agreement.

  4. Training and Usage:
    After setup, your custom model will be trained using the selected repositories. Once it’s ready, your developers’ IDEs will automatically start using the custom model, which will inform all in-line code completions.

  5. Monitoring & Quality Assessment:
    Regularly retrain your custom model to keep it aligned with new code and evolving practices. Use the Copilot Usage Metrics API to track metrics like suggestion acceptance rates and see how much it’s improving.

Additional Resources

See more

Push protection bypass requests will now show file path and branch information for the secret. This improvement helps you more effectively triage any secrets for which you’ve requested push protection bypasses. Branch information is only available for pushes to single branches.

Delegated bypasses for secret scanning push protection allow organizations and repositories to control who can push commits that contain secrets. Developers can request approval from authorized users to push a blocked secret.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in the dedicated GitHub community discussion or signing up for a 60 minute feedback session.

See more