GitHub: Free Code Security Assessment Uncovers Vulnerabilities in Minutes

GitHub has launched a free code security risk assessment tool that uses the powerful CodeQL engine for static analysis. The tool automatically scans up to 20 of an organization’s most active repositories and generates a detailed report.

What does the tool offer?

The Code Security Risk Assessment provides a vulnerability overview organized by:

• Severity — critical, high, medium, and low
• Programming language — identifies which languages in the organization have the most issues
• Security rule — shows which types of vulnerabilities are most common
• Repository — reveals which projects carry the greatest risk

The tool is available to organization administrators on Enterprise Cloud and Team plans, requires no configuration, and uses free GitHub Actions minutes.

Impressive numbers for AI-assisted fixing

GitHub also released statistics on its Copilot Autofix tool for automatic vulnerability remediation:

• 460,258 security alerts fixed using Copilot Autofix in 2025
• Average fix time: 0.66 hours (compared to 1.29 hours manually)
• The tool complements the existing Secret Risk Assessment for detecting leaked secrets

Why does this matter for developers?

Security debt in code accumulates faster than teams can manually address it. A free risk assessment tool enables organizations to quickly identify the most critical issues and prioritize fixes — before vulnerabilities reach production.