In one sentence
Code Scanning is a GitHub feature that performs static analysis (SAST) on your repository's source code to find vulnerabilities.
The analysis engine is GitHub's own CodeQL (semantic analysis), and for each finding, Copilot Autofix generates an AI-powered fix suggestion with code ready to commit. Default setup starts with a single click โ no config file needed.
Default setup vs Advanced setup
There are two ways to enable CodeQL. Default setup is enough to start.
| Aspect | ๐ข Default setup | ๐ ๏ธ Advanced setup |
|---|---|---|
| Configuration | One click in the UI, no config file | Write .github/workflows/codeql.yml |
| Language detection | GitHub detects automatically | Explicitly specified in YAML |
| Queries | default set (GitHub recommended) | default / security-extended / security-and-quality / custom |
| Triggers | push / PR / weekly schedule (automatic) | You configure them |
| Build | No build step needed for most languages (autobuild) | You can specify your own build command |
| Scope | Can be rolled out to all repos with a click | For cases requiring fine-grained tuning |
๐ Unless you have a monorepo, special build requirements, or need custom queries, Default setup is best practice. You can switch to Advanced later.
๐ Details: Configuring default setup โ
Vulnerabilities CodeQL detects
CodeQL converts code into โqueryable dataโ before analyzing it, so it understands semantics rather than just matching patterns like grep-based SAST.
- ๐ Injection โ SQL injection / Command injection / Path traversal / XSS / SSRF
- ๐ Auth & authorization โ Hardcoded credentials, weak cryptographic algorithms, weak random
- ๐ฃ Memory safety (C/C++) โ Buffer overflow / use after free / null dereference
- ๐งฉ Data flow tracking โ Tracks whether user input (taint source) reaches a dangerous function (sink)
- ๐ Supported languages โ C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, Swift
๐ฌ CodeQL queries are open-sourced at github/codeql. You can write and extend with your own custom queries.
Copilot Autofix โ AI fixes it for you โ
The killer feature of Code Scanning. When CodeQL raises an alert, AI generates a fix that you can commit directly to the PR.
- ๐ค How it works โ The alert is passed to an LLM (GPT-4 family), which generates a diff based on the relevant code + surrounding context + CodeQLโs description
- ๐ฌ Shown in the PR โ โGenerate fixโ button โ review the proposed patch โ commit as-is
- โก Reduces MTTR โ GitHub internal data shows fix time is 3โ4ร faster
- ๐ Coverage โ JavaScript/TypeScript, Python, Java/Kotlin, C#, and other CodeQL-supported languages
- ๐ Free for OSS โ Copilot Autofix on public repos has been completely free since 2024 (no Copilot subscription required)
๐ก Not just โfind vulnerabilitiesโ โ โlet AI fix them tooโ is the new standard. Review burden drops dramatically.
๐ Details: About Copilot Autofix โ
Getting started (fastest path)
Step 1 โ Enable Default setup (this alone is enough)
Repo โ Settings โ Code security โ Code scanning
โ Set up CodeQL โ DefaultGitHub auto-detects your language and generates a CodeQL workflow behind the scenes. Runs automatically on push and PR โ results appear in the Security tab + inline comments on the PRโs Files Changed tab.
Step 2 โ Enable Copilot Autofix
Enable Copilot Autofix inside Code scanning settings. A โGenerate fixโ button will appear on alert pages.
Step 3 โ Migrate to Advanced setup (if needed)
# .github/workflows/codeql.yml
name: CodeQL
on:
push: { branches: [main] }
pull_request: { branches: [main] }
schedule: [{ cron: '30 5 * * 1' }]
jobs:
analyze:
runs-on: ubuntu-latest
permissions: { security-events: write, contents: read }
strategy:
matrix: { language: [javascript, python] }
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
- uses: github/codeql-action/analyze@v3Step 4 โ Integrate third-party SAST tools (SARIF)
Tools like Semgrep, ESLint security, and Snyk can upload results in SARIF format to appear alongside CodeQL in the Security tab.
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifStep 5 โ Enable org-wide / enterprise-wide
Use Org โ Settings โ Code security โ default settings to apply to new and existing repos at once. Security campaigns let you manage goals like โfix all critical alerts across all repos within 30 daysโ (Code Security).
Eligibility and pricing
| Feature | Public repo | Private repo (No GHAS / Code Security) | Private repo (With GHAS / Code Security) |
|---|---|---|---|
| CodeQL (default + advanced) | โ Free | โ | โ |
| Third-party SARIF upload | โ Free | โ | โ |
| Copilot Autofix | โ Free (since 2024) | โ | โ |
| Security overview / campaigns | โ Free | โ | โ |
| PR inline comments | โ Free | โ | โ |
| Custom CodeQL queries | โ Free | โ | โ |
๐ฐ In 2025, GHAS was split โ if you only need code scanning, GitHub Code Security ($30/month/active committer) is enough (no full GHAS contract required). Combine with Secret Protection if you also want secret scanning.
๐ Public repos get CodeQL and Autofix completely free. If youโre OSS, thereโs no reason not to enable this right now.
โ๏ธ Code scanning workflows run on GitHub-hosted runners โ free for public repos; included in GHAS/Code Security for private repos (no additional Actions charges).
๐ Details:
- Introducing GitHub Secret Protection & Code Security (2025 Mar) โ
- SARIF support for code scanning โ
- Org default security settings โ
Code Security Risk Assessment (free inventory scan)
Code Security Risk Assessment scans the up to 20 most active repositories in your org with a single click using CodeQL, making visible "what code vulnerabilities are hiding and where" (GA April 2026).
No GHAS / Code Security license required โ completely free. Available to all Team and Enterprise Cloud orgs, and the Actions minutes used don't count against your Actions quota.
- ๐ Scope โ selects up to 20 repos with the most recent active commits in the org (you can re-select each time)
- ๐ Output โ aggregated report of vulnerabilities by severity, language, and rule type, including how many are fixable by Copilot Autofix
- ๐ Frequency โ can be re-run once every 90 days (point-in-time inventory)
- ๐ Permissions โ only Organization owners / security managers can run it
- ๐ How to run โ
Org โ Security โ Assessments โ Run code security risk assessment - ๐ No license required, no Actions minutes charged โ perfect for evaluating Code Security before purchase
๐ Pair this with Secret Risk Assessment (see Secret Scanning โ) to get a complete picture of your organizationโs security posture in a single day. Use the results to decide whether to adopt Code Security.
๐ Details: