Security campaigns are now generally available to help address security debt at scale

Security campaigns are now generally available

Security campaigns with Copilot Autofix are now generally available. As part of GitHub Code Security, you can use security campaigns to prioritize and rapidly reduce your backlog of application security debt. Copilot Autofix generates contextual explanations and fixes for historical code scanning alerts in a security campaign, which help developers and security teams collaborate to fix vulnerabilities with speed and confidence.

With the help of GitHub’s CodeQL and Copilot Autofix, it has never been easier to prevent new vulnerabilities from being added to your code. However, if you don’t address vulnerabilities discovered in already-merged code, security debt can build up and pose a serious risk to deployed applications.

A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate security debt. Security teams can monitor the progress of the campaign and track the number of fixed alerts. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.

Starting today, you can also access these new features to plan and manage security campaigns more effectively:

  • Draft security campaigns: Security managers can now iterate on the scope of campaigns and save them as draft campaigns before making them available to developers. With draft campaigns, security managers can ensure that the highest priority alerts are included before the work goes live.
  • Automated GitHub issues: Security managers can optionally create GitHub issues in repositories that have alerts included in the campaign. These issues are created and automatically updated as the campaign progresses and can be used by teams to track, manage, and discuss campaign-related work.
  • Organization-level security campaign statistics: Security managers can now view aggregated statistics showing the progress across all currently-active and past campaigns.

Security campaigns are available for users of GitHub Code Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.

If you have any feedback on security campaigns, join the discussion in GitHub Community.

Copilot code review is now generally available!

Code review is one of the most critical parts of software development, but manual code reviews can be time-consuming. Copilot code review helps you offload basic reviews to a Copilot agent that finds bugs, potential performance problems, and even suggests fixes. This means you can start iterating on your code while waiting for a human review, helping you keep your code repositories more maintainable and focused on quality.

In just over a month since we launched the public preview, over 1 million developers have already used Copilot code review, and the response has been incredible.

Check it out in action, in both Visual Studio Code and GitHub:

To request a code review from Copilot, you can set up automatic reviews in a repo through repository rules. Or, you could ask Copilot to review a pull request on demand.

Copilot code review is available to all paid Copilot subscribers. Organizations and enterprises can enable it through the Copilot in github.com policy.

What’s next

We’re continuously improving Copilot code review. Today we’ve added support for C, C++, Kotlin, and Swift in public preview and we’ll add support for HTML and txt early next week.

To learn more, check out our code review docs. We can’t wait for you to try out these improvements, and we’d love your feedback in this GitHub Community discussion!

See more