Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

codeql

Subscribe to all “codeql” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Enhanced CodeQL pull request alerts report

December 9, 2024

The metrics overview for CodeQL pull request alerts now includes enhanced tracking and reporting mechanisms, resulting in greater accuracy and more CodeQL pull request alerts and Copilot Autofixes displayed on the dashboard.

These changes retroactively affect the dashboard numbers, allowing you to effectively monitor your organization’s security posture.

With these insights, you can proactively identify and address security risks before they reach your default branch. The metrics overview for CodeQL pull request alerts helps you understand how effectively CodeQL prevents vulnerabilities in your organization. You can use these metrics to easily identify the repositories where action is needed to mitigate security risks.

The change is now generally available on GitHub Enterprise Cloud.

Learn more about security overview and code scanning.

See more See more

Code scanning now creates alert-related events in audit log

December 4, 2024

The enterprise and organization-level audit log events are now created when a code scanning alert is created, fixed, dismissed, reopened, or appeared in a new branch:
– code_scanning.alert_created – a code scanning alert was seen for the first time;
– code_scanning.alert_appeared_in_branch – an existing code scanning alert appeared in a branch;
– code_scanning.alert_closed_became_fixed – a code scanning alert was fixed;
– code_scanning.alert_reappeared – a code scanning alert that was previously fixed reappeared;
– code_scanning.alert_closed_by_user – a code scanning alert was manually dismissed;
– code_scanning.alert_reopened_by_user – a code scanning alert that was previously dismissed was reopened.

The new functionality, which will be included in GHES 3.17, provides more insight into the history of a code scanning alert for easier troubleshooting and analysis.

For more information:
– Learn more about code scanning
– Learn more about audit log events for your enterprise
– Learn more about audit log events for your organization

See more See more

Improved support for labeled Actions runners in CodeQL code scanning

December 3, 2024

When configuring CodeQL security analysis using code scanning’s default setup, you can now specify whether to run the analysis on a standard GitHub-hosted runner, a larger GitHub-hosted runner, or a self-hosted runner. Previously, support for larger GitHub-hosted and self-hosted runners was limited to those with the code-scanning custom label. Now, you can specify any custom label, ensuring the analysis runs on the desired machine(s).

For example, using a custom label you are able to assign more powerful runners to critical repositories for faster analyses, better spread the workload over GitHub-hosted and self-hosted runners, or run the analysis on a particular platform (like macOS).

The new setting is available today on GitHub.com, and can be configured both at the repository level and within code security configurations for deployments at scale. This new setting will also be included in GitHub Enterprise Server (GHES) version 3.16.

Learn more about configuring default setup for code scanning.

See more See more

Expanded flexibility and control for managing the security manager role

November 26, 2024

For organization owners, managing the security manager role is now easier and more flexible. These updates empower you to tailor security responsibilities and streamline role assignments to fit your needs:

Assign the security manager role to individual users: The security manager role can now be assigned directly to individual users, in addition to teams. This added flexibility ensures security responsibilities are allocated precisely where needed.
Streamlined role management in organization settings: Security manager assignment and configuration is now part of Settings > Organization roles at the organization level. This relocation centralizes and simplifies role management, making it intuitive to oversee security managers alongside other organizational roles.

Security manager assignment modal on the Organization roles - Role assignments page

Building on recent improvements

The addition of custom organization roles with repository permissions takes flexibility to the next level. With these updates, you can customize security roles to balance the right level of responsibility and access for your team. Here’s how you can leverage these features to meet your specific requirements:

Craft a security manager role with fewer permissions: The addition of repository permissions to custom organization roles means you can build custom security roles with a subset of security manager permissions, such as:
- View secret scanning
- Dismiss secret scanning
- View code scanning
- Dismiss code scanning
- Delete code scanning analyses
- View Dependabot alerts
- Dismiss Dependabot alerts
This lets you assign security responsibilities without granting the full access of a security manager role.
Expand the security manager role with additional permissions: Using custom organization roles, you can enhance the security manager role by adding additional organization-level or repository-specific permissions. For example, you can grant audit log access or other highly requested capabilities to create a tailored role that fits your team’s specific needs.

User with security manager role and custom auditor role assigned

These updates are now generally available on GitHub Enterprise Cloud and will be included in GitHub Enterprise Server 3.16.

Learn more about the security manager role, custom organization roles and send us your feedback

See more See more

CSV export for enterprise-level security overview

November 26, 2024

You can now export security data for offline analysis, reporting, and archival purposes on the enterprise-level security overview pages. This includes:

Enterprise-level overview dashboard: Export alert-level data for all your scanning tools—including third-party scanning tools.
Enterprise-level risk page: Export repository-level data with aggregated counts of security alerts per repository for code scanning, Dependabot, and secret scanning.
Enterprise-level coverage page: Export repository-level data showing the enablement state for all Dependabot, code scanning, and secret scanning features.

New Export CSV button highlighted on the overview dashboard on the Security tab at the enterprise level

Just like at the organization level, exports will respect all filters you’ve applied to the page, making it easy to for you to tailor downloads to your specific needs. Whether you’re focused on enterprise-wide insights or repository-level details, the data is now at your fingertips.

You can download all data where you have an appropriate level of access.

Learn more about security overview and send us your feedback

See more See more

SAST vulnerabilities summary now available on the security overview dashboard

October 31, 2024

Now you can better manage and mitigate your security vulnerabilities with a new SAST vulnerabilities summary table, available directly on the security overview dashboard. This feature highlights your top 10 CodeQL and third-party open alerts by count, grouped by vulnerability type.

The SAST vulnerabilities table on the Detection tab of the overview dashboard

When prioritizing which alerts to address first, it’s crucial to consider various factors. One significant factor is the number of instances of a vulnerability across your codebase. The more areas of code affected by a vulnerability, the higher the potential risk for exploitation.

To access the new SAST vulnerabilities table, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and scroll to the bottom of the Detection view on the Overview dashboard. For enterprises, click Code Security in the sidebar, then select Overview and scroll to the bottom of the Detection view.

The SAST vulnerabilities summary is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about security overview insights and join the discussion within the GitHub Community

See more See more

Security campaigns with Copilot Autofix are now in public preview

October 29, 2024

Security campaigns with Copilot Autofix are now in public preview. Available as part of GitHub Advanced Security, security campaigns rapidly reduce your backlog of application security debt. By using Copilot Autofix to generate contextual explanations and code suggestions for up to 1,000 historical code scanning alerts at a time, security campaigns help developers and security teams collaborate to fix vulnerabilities with speed and confidence.

Code scanning detection engines such as GitHub’s CodeQL are incredibly effective at automatically notifying developers about potential security vulnerabilities in their code in the form of code scanning alerts. Most developers fix these vulnerabilities with the help of Copilot Autofix when they’re flagged pull requests. However, in situations where these alerts aren’t remediated in a timely manner, security debt can build up and pose a serious risk to deployed applications. Using security campaigns, security teams and developers can easily collaborate to remediate and eradicate security debt at scale, with the help of Copilot Autofix.

A security campaign on GitHub can contain a large number of code scanning alerts, prioritized by your security team to be fixed within a chosen timeframe. When a campaign is created, Copilot Autofix automatically suggests fixes for all supported alerts, and developers who are most familiar with the code are notified. From there, they can review the fixes, open pull requests, and remediate the security debt.

Security teams can monitor the progress of the campaign and track the number of alerts that have been fixed. Using security campaigns, security and developer teams work together with Copilot Autofix to remove security debt in targeted efforts aimed at maximizing impact by focusing on the alerts that matter.

Organization-level view of a security campaign to remediate SQL injection alerts

Security campaigns are available for users of GitHub Advanced Security on GitHub Enterprise Cloud. For more information about security campaigns, see About security campaigns in the GitHub documentation.

If you have any feedback on security campaigns: join the discussion in the GitHub Community.

See more See more

Copilot Autofix now supports partner code scanning tools

October 29, 2024

Copilot Autofix now supports fix suggestions for problems detected by ESLint, a partner code scanning tool. Autofixes are available both in pull requests and for historical alerts.

Setting up ESLint using a starter workflow

ESLint is the first partner tool supported by Copilot Autofix. Support for additional partner tools, such as JFrog SAST and Black Duck’s Polaris™ platform powered by Coverity®, will be announced by future changelogs when available. To opt out of fix suggestions for third-party tools, you can disable this feature from the code scanning settings page.

Example of a fix suggestion for an existing ESLint alert

In order for Copilot Autofix to pick up ESLint alerts, you need to enable ESLint as a code scanning tool in the target repository. For reference, you can select an updated starter workflow when setting up a new GitHub Actions workflow in your repository. You can use both ESLint scanning and the CodeQL analysis in the same repository.

Disabling fix suggestions for third-party tools

For more information, see: Responsible use of Copilot Autofix for code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

See more See more

Now you can choose a specific branch when using Copilot Autofix for code scanning

October 10, 2024

When using Copilot Autofix for historical alerts, you can now choose the branch to which you want to commit an autofix. You can also decide whether to then open a pull request, check out the branch locally, or open it in GitHub Desktop.

Copilot Autofix provides automatic fix suggestions for code scanning alerts in your codebase.

Example of committing Copilot Autofix to branch

This update integrates Autofix more closely within the developer workflow, so you can quickly iterate on fix suggestions and collaborate on those with your team.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

See more See more

CodeQL 2.19.0: TypeScript 5.6 and Go 1.23 support, new queries for JavaScript and Ruby

September 25, 2024

CodeQL version 2.19.0 has been released and has now been rolled out to code scanning users on GitHub.com. CodeQL is the static analysis engine that powers GitHub code scanning.

Important changes by version include:

CodeQL 2.18.2
- Support for scanning Java codebases without needing a build is generally available.
- The Python py/cookie-injection query, which finds instances of cookies being constructed from user input, is now part of the main query pack.
- One new query for Ruby rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
CodeQL 2.18.3
- New C# models for local sources from System.IO.Path.GetTempPath and System.Environment.GetFolderPath.
CodeQL 2.18.4
- Support for scanning C# codebases without needing a build is generally available.
- Support for Go 1.23.
CodeQL 2.19.0
- Support for TypeScript 5.6.
- One new query for JavaScript js/actions/actions-artifact-leak to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.
- A 13.7% evaluator speed improvement over CodeQL 2.17.0 release.

For a full list of changes, please refer to the complete changelog for versions 2.18.2, 2.18.3, 2.18.4 and 2.19.0.

All new functionality from 2.18.Z releases will be included in GHES 3.15, while functionality from 2.19.0 will be included in GHES 3.16. If you use GHES 3.14 or older, you can upgrade your CodeQL version.

See more See more

Enhanced security overview dashboard – detection, remediation, and prevention at the forefront

September 19, 2024

Now, you can view Prevention metrics alongside Detection and Remediation metrics and in an enhanced security overview dashboard. This update is available at both the organization and enterprise levels.

New prevention tab on the security overview dashboard

New to the dashboard, the Prevention insights tab highlights CodeQL pull requests alerts and will soon include secret scanning push protection insights. It’s designed to help you shift from merely responding to vulnerabilities to actively preventing them, the ultimate goal in application security. With this dashboard, you and your team can proactively keep vulnerabilities at bay, successfully blocking threats before they ever reach production.

Deep dive into the CodeQL pull request alerts

For a deeper analysis, the new CodeQL pull request alerts report is also available at both the organization and enterprise levels. This report allows you to:

Track historical metrics for CodeQL pull request alerts
Monitor code as it progresses from feature branches to the default branch
Analyze metrics by CodeQL rule, autofix status, and repository

The enhanced dashboard is now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.16.

Learn more about pull request alerts and join the discussion within the GitHub Community

See more See more

Now available for free on all public repositories: Copilot Autofix for CodeQL code scanning alerts

September 18, 2024

Now you can remediate existing security issues in your public repositories faster with Copilot Autofix for CodeQL alerts. Following our general availability release for all Advanced Security customers, Copilot Autofix for CodeQL alerts is now generally available (GA) for all public repositories, for free.

Powered by GitHub Copilot, this feature provides automatic fixes for vulnerabilities found by CodeQL, both on pull requests and for historical alerts that already exist in a codebase.

Importantly, you stay in full control of your codebase: Copilot Autofix will try and suggest fixes for CodeQL alerts in pull requests, but it’s ultimately up to you to decide whether you wish to accept Copilot’s suggestion wholly, partially, or not at all. The same applies to historical alerts in a codebase: you can request an autofix from Copilot, then review it, and decide whether you want to open a PR with the fix suggestion or commit straight to the affected branch (or neither).

Example of Copilot Autofix generation on the alert page

Copilot Autofix is available for all public repositories that use code scanning CodeQL, and is enabled by default for alerts on PRs. It does not generate additional notifications. If you would like to enable Copilot Autofix on your organization’s private repositories, please have a look at this blog post where we announce Autofix for GitHub Advanced Security.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

See more See more

CSV exports for the CodeQL pull request alerts report

September 16, 2024

New Export CSV button highlighted on the CodeQL pull request alerts report

You can now export data from the CodeQL pull request alerts report in CSV format, enabling you to analyze prevention and autofix metrics offline or archive the data for future use. This functionality is available at both the organization and enterprise levels. Exports will respect all filters applied, allowing you to focus on the specific data most relevant to your needs. You can download all data where you have an appropriate level of access.

Learn more about tracking metrics on CodeQL pull request alerts and join the discussion within the GitHub Community.

See more See more

CodeQL code scanning can analyze Java and C# codebases without needing a build (GA)

August 28, 2024

CodeQL code scanning can now analyze Java and C# code without having to observe a build. This makes it easier to roll out the security analysis on large numbers of repositories, especially when enabling and managing repositories with GHAS security configurations.

CodeQL is the analysis engine that powers GitHub code scanning. When analyzing source code, it is important that the analysis engine has detailed knowledge of all aspects of the codebase. Now, the analysis engine no longer depends on observing the build process for Java and C# code, resulting in higher setup success and adoption rates for CodeQL code scanning (Java and C#).

During the testing of this feature, we validated that the analysis results were as accurate as the previous methodology. This feature was previously in public beta earlier this year (Java, C#), when it became the new default analysis mode for new users of CodeQL code scanning for these languages. Some customers experienced time significant savings as some tasks that previously took weeks now are achievable in minutes.

CodeQL’s new zero-configuration analysis mechanisms for both Java and C# are available on GitHub.com. If you are setting up CodeQL code scanning for these repositories, you will benefit from this analysis mechanism by default. If you set up CodeQL code scanning for Java or C# before their respective public beta releases of this feature, your analysis will remain unchanged (but can be migrated by disabling the current configuration and re-enabling code scanning using default setup). This new functionality will also be released to our GitHub Enterprise Server (GHES) customers starting with version 3.14 for Java and 3.15 for C#.

Repositories that use code scanning advanced setup will continue to use whichever analysis mechanism is specified in the Actions workflow file. The template for new analysis configurations now uses the new analysis mechanism by specifying `build-mode: none`. The old analysis mechanisms remain available. Users of the CodeQL CLI can find more documentation here.

Learn more about GitHub code scanning. If you have any feedback about these new analysis mechanisms for Java and C#, please join the discussion here.

See more See more

Prevention and autofix insights for CodeQL pull request alerts

August 19, 2024

You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

Enterprise-level CodeQL pull request alerts report

With this report, you can historically track metrics for CodeQL pull request alerts as code moves from feature branches to the default branch. Gain insights into:

Unresolved and merged alerts: Understand what security vulnerabilities made it to the default branch.
Fixes (autofix and manual): Track which alerts were addressed before merging.
Dismissed alerts: See which alerts were deemed false positive or risk accepted.

Additionally, analyze metrics by CodeQL rule, autofix status, and repository.

Historical data is available starting from May 1, 2024.

To access these reports, click your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you want to view. For organizations, go to the Security tab and find CodeQL pull request alerts in the sidebar. For enterprises, click Code Security in the sidebar, then select CodeQL pull request alerts.

These reports are now generally available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.

Learn more about security overview and join the discussion within the GitHub Community.

See more See more

View more changes