Run your free Code Security Risk Assessment, or to learn more, read the docs.
How exposed is your code? Find out in minutes—for free
The new Code Security Risk Assessment gives you a one-click view of vulnerabilities across your organization, at no cost.
|
4 minutes
Most security leaders share the same suspicion: there are vulnerabilities in our codebase that we don’t know about.
The uncomfortable truth is that most code never gets a thorough security review. Vulnerabilities accumulate quietly in active repositories, across languages and teams, often undetected until something goes wrong. And if you’re relying on manual reviews or narrowly scoped tools, the gaps may be wider than you think.
Today, we’re introducing the Code Security Risk Assessment: a free, one-click scan that reveals vulnerabilities hiding in your organization’s code. No license required. No configuration. No commitment. Just clarity.
The Code Security Risk Assessment is available to GitHub organization admins and security managers. If that’s not you, this post is still worth reading and sharing: it explains what the assessment reveals and why it’s worth running.
What you’ll learn
The Code Security Risk Assessment scans up to 20 of your most active repositories using CodeQL, GitHub’s industry-leading static analysis engine, and delivers a dashboard summarizing what it finds:
- Total vulnerabilities found across your scanned repositories, broken down by severity: critical, high, medium, and low
- Vulnerabilities by language, so you can see which parts of your codebase carry the most risk
- Rules detected, showing the specific classes of security issues found, how many repositories they affect, and their severity
- Most vulnerable repositories, helping you identify where to focus remediation first
- Copilot Autofix eligibility — how many of your vulnerabilities could be automatically fixed with Copilot Autofix, GitHub’s AI-powered remediation tool
The assessment is available to organization admins and security managers on GitHub Enterprise Cloud and GitHub Team plans. It’s completely free — you won’t be charged for any licenses, and the GitHub Actions minutes used for scanning don’t count against your quota.
See how it works. 👇
Completing the security picture
If you’ve already run a Secret Risk Assessment, you know the value of visibility. Since launching last year, the Secret Risk Assessment has helped thousands of organizations understand their exposure to leaked credentials. In 2025 alone, customers using Secret Protection scanned nearly 2 billion pushes and blocked 19 million secret exposures.
The Code Security Risk Assessment brings that same philosophy to vulnerabilities in your source code. Both assessments now run together from a single entry point, with a tabbed interface that lets you switch between your secret exposure and your code vulnerability findings. Together, they give you a unified view of your organization’s security posture—secrets and code—in minutes.
Even if you’re not responsible for running security scans yourself, the results of these assessments can help your team align on where risk exists and what to fix first.
And when you’re ready to act on what you find, each assessment has a corresponding GitHub product designed to help. Secret Protection stops credentials from leaking. Code Security finds and fixes vulnerabilities. The assessments show you why you need them.
From found to fixed
Knowing where your vulnerabilities are is the first step. Fixing them is what actually reduces risk.
That’s where GitHub Code Security and Copilot Autofix change the equation. Across GitHub in 2025:
- 460,258 security alerts were fixed using Copilot Autofix
- 50% of vulnerability alerts were resolved directly in pull requests — where developers are already working
- Mean time to remediation was nearly twice as fast with Copilot Autofix (0.66 hours) compared to manual fixes (1.29 hours)
Your Code Security Risk Assessment results will show you how many of your detected vulnerabilities are eligible for Copilot Autofix — giving you a concrete picture of how quickly you could start reducing risk. When you’re ready, you can enable Code Security directly from the results page with a single click.
Find what you’ve been missing
Whether you have no security scanning in place, you’re evaluating your current tools, or you want a broader view of risk across your organization — the Code Security Risk Assessment meets you where you are.
It’s free. It takes minutes. And what you learn might change how you think about your security posture.
Tags:
Related posts
Hack the AI agent: Build agentic AI security skills with the GitHub Secure Code Game
Learn to find and exploit real-world agentic AI vulnerabilities through five progressive challenges in this free, open source game that over 10,000 developers have already used to sharpen their security skills.
Securing the open source supply chain across GitHub
Recent attacks on open source focus on exfiltrating secrets; here are the prevention steps you can take today, plus a look at the security capabilities GitHub is working on.
A year of open source vulnerability trends: CVEs, advisories, and malware
Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response.