Pilot AI detections on a few repositories, measure confirmed findings and review time, and never treat an informational AI label as proof that code is safe.
GitHub code scanning can now surface AI-powered security detections directly on pull requests. The public preview aims to cover languages and frameworks outside CodeQL’s built-in analysis, placing findings in the review workflow before code is merged.
Broader coverage is attractive, but the preview has constraints that affect both expectations and cost. It is an additional detection source—not a replacement for deterministic analysis, tests, or expert review.
How the preview works
The AI engine runs when a pull request is opened or updated and returns findings as they become available. GitHub labels AI-generated alerts so reviewers can distinguish them from CodeQL results. The findings are informational and do not block a merge.
An enterprise owner must allow the capability, the organization must enable it, and the repository needs GitHub Code Security with CodeQL default setup. GitHub notes that CodeQL is not performing the AI analysis, but its setup is a dependency.
Availability and billing change the pilot design
The preview is for GitHub.com customers with GitHub Code Security, requires a GitHub Copilot license, and consumes organizational AI credits when detections run. That makes a controlled pilot more useful than enabling every repository immediately.
Choose repositories with meaningful uncovered languages, enough pull-request volume to generate evidence, and engineers who can classify results. Track true positives, duplicates, false positives, review minutes, and AI credits per confirmed issue.
The review rule to keep
An AI finding is a lead. Review the data flow, reproduce the condition, check exploitability in the deployed environment, and record the resolution. Likewise, a pull request with no AI alert has not received a security guarantee; it has only produced no finding from the enabled analyzers.
PatchMemo independently selects and evaluates the topics it covers. We clearly label sponsorships and affiliate relationships.


