GitHub: AI security detections on pull requests and /security-review in the Copilot app
GitHub has introduced AI-generated security detections directly on pull requests in Code Scanning, along with a new /security-review command in the Copilot app that analyzes code for injection, XSS, path traversal, and weak cryptography.
This article was generated using artificial intelligence from primary sources.
What is SAST and why is GitHub integrating AI into that process?
Static Application Security Testing (SAST) is a method that automatically reviews source code for security vulnerabilities — before the application is run and before code is merged. GitHub’s Code Scanning already uses CodeQL as its primary SAST tool, but CodeQL natively supports a limited set of programming languages. The new AI layer fills that gap and brings security analysis to languages that CodeQL did not previously cover.
AI detections directly on pull requests
GitHub Code Scanning now displays AI-generated security detections directly within the pull request interface. Each detection is clearly marked with an AI label so that developers can distinguish traditional CodeQL findings from those generated by AI analysis. The key advantage is coverage: AI detections cover languages that CodeQL does not natively support, extending security checks to a wider set of codebases. Developers receive warnings at the moment when intervention is cheapest — before a merge, not only after deployment.
New /security-review command in the Copilot app
Alongside the Code Scanning change, GitHub is introducing the /security-review command in the GitHub Copilot chat interface. A user can select code or an entire file and run a security analysis directly from the chat. The system recognizes four vulnerability categories: injection attacks (SQL, command injection), cross-site scripting (XSS), path traversal, and weak cryptography. Unlike Code Scanning, which runs automatically in the CI/CD pipeline, /security-review is an interactive tool that developers invoke on demand — for example, when reviewing someone else’s code or refactoring sensitive sections.
Integration and market context
Both features were released on the same day as a coordinated GitHub push into AI-assisted security. For comparison, competitors such as Snyk and Semgrep have offered an AI layer on top of static analysis for longer, but integration directly into the GitHub interface — without additional tools or licenses — means security analysis becomes available to all GitHub Copilot users, regardless of project type or language.
Frequently Asked Questions
- What is static code analysis (SAST/code scanning)?
- Static Application Security Testing (SAST) is a method that automatically reviews source code for security vulnerabilities before the code is merged into the main branch, without running the application.
- What types of vulnerabilities does /security-review in the Copilot app detect?
- The /security-review command analyzes code for injection attacks, cross-site scripting (XSS), path traversal vulnerabilities, and weak cryptography.
Sources
📬 AI news in your inbox
A daily digest built your way — pick topics, sources and cadence. One-click unsubscribe.
Related news
arXiv:2607.09532: Statistically Undetectable Backdoors in Deep Neural Networks (ICML 2026)
Microsoft: Formal Verification of Rust Cryptography in SymCrypt with AI Agents and Lean
arXiv:2607.08395: Token-Flow Firewall — runtime monitoring that protects long-running AI agents and reduces attack success rate to 12.5%