🟡 🛡️ Security Published: · 2 min read ·

GitHub: AI security detections on pull requests and /security-review in the Copilot app

Editorial illustration: GitHub pull request interface with highlighted AI security warnings and a Copilot chat window with the /security-review command

GitHub has introduced AI-generated security detections directly on pull requests in Code Scanning, along with a new /security-review command in the Copilot app that analyzes code for injection, XSS, path traversal, and weak cryptography.

🤖

This article was generated using artificial intelligence from primary sources.

What is SAST and why is GitHub integrating AI into that process?

Static Application Security Testing (SAST) is a method that automatically reviews source code for security vulnerabilities — before the application is run and before code is merged. GitHub’s Code Scanning already uses CodeQL as its primary SAST tool, but CodeQL natively supports a limited set of programming languages. The new AI layer fills that gap and brings security analysis to languages that CodeQL did not previously cover.

AI detections directly on pull requests

GitHub Code Scanning now displays AI-generated security detections directly within the pull request interface. Each detection is clearly marked with an AI label so that developers can distinguish traditional CodeQL findings from those generated by AI analysis. The key advantage is coverage: AI detections cover languages that CodeQL does not natively support, extending security checks to a wider set of codebases. Developers receive warnings at the moment when intervention is cheapest — before a merge, not only after deployment.

New /security-review command in the Copilot app

Alongside the Code Scanning change, GitHub is introducing the /security-review command in the GitHub Copilot chat interface. A user can select code or an entire file and run a security analysis directly from the chat. The system recognizes four vulnerability categories: injection attacks (SQL, command injection), cross-site scripting (XSS), path traversal, and weak cryptography. Unlike Code Scanning, which runs automatically in the CI/CD pipeline, /security-review is an interactive tool that developers invoke on demand — for example, when reviewing someone else’s code or refactoring sensitive sections.

Integration and market context

Both features were released on the same day as a coordinated GitHub push into AI-assisted security. For comparison, competitors such as Snyk and Semgrep have offered an AI layer on top of static analysis for longer, but integration directly into the GitHub interface — without additional tools or licenses — means security analysis becomes available to all GitHub Copilot users, regardless of project type or language.

Frequently Asked Questions

What is static code analysis (SAST/code scanning)?
Static Application Security Testing (SAST) is a method that automatically reviews source code for security vulnerabilities before the code is merged into the main branch, without running the application.
What types of vulnerabilities does /security-review in the Copilot app detect?
The /security-review command analyzes code for injection attacks, cross-site scripting (XSS), path traversal vulnerabilities, and weak cryptography.

📬 AI news in your inbox

A daily digest built your way — pick topics, sources and cadence. One-click unsubscribe.