惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
博客园_首页
H
Help Net Security
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
罗磊的独立博客
博客园 - 三生石上(FineUI控件)
B
Blog
I
InfoQ
SecWiki News
SecWiki News
T
Tailwind CSS Blog
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
P
Palo Alto Networks Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Vercel News
Vercel News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
K
Kaspersky official blog
M
MIT News - Artificial intelligence
S
Schneier on Security
T
Threat Research - Cisco Blogs
F
Fortinet All Blogs
Cyberwarzone
Cyberwarzone
Scott Helme
Scott Helme
aimingoo的专栏
aimingoo的专栏
Martin Fowler
Martin Fowler
MyScale Blog
MyScale Blog
The Cloudflare Blog
Recent Announcements
Recent Announcements
Security Latest
Security Latest
G
GRAHAM CLULEY
IT之家
IT之家
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
腾讯CDC
Google DeepMind News
Google DeepMind News
V
V2EX
S
Securelist
TaoSecurity Blog
TaoSecurity Blog
B
Blog RSS Feed
S
SegmentFault 最新的问题
博客园 - 叶小钗
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
Project Zero
Project Zero
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure

The latest on web application security - The GitHub Blog

Top security researcher shares their bug bounty process How a top bug bounty researcher got their start in security Safeguarding VS Code against prompt injections Inside GitHub: How we hardened our SAML implementation Cutting through the noise: How to prioritize Dependabot alerts Encoding and escaping untrusted data to prevent injection attacks Code scanning and Ruby: turning source code into a queryable database
How exposed is your code? Find out in minutes—for free
Dorothy Pearce · 2026-04-14 · via The latest on web application security - The GitHub Blog

Most security leaders share the same suspicion: there are vulnerabilities in our codebase that we don’t know about.

The uncomfortable truth is that most code never gets a thorough security review. Vulnerabilities accumulate quietly in active repositories, across languages and teams, often undetected until something goes wrong. And if you’re relying on manual reviews or narrowly scoped tools, the gaps may be wider than you think.

Today, we’re introducing the Code Security Risk Assessment: a free, one-click scan that reveals vulnerabilities hiding in your organization’s code. No license required. No configuration. No commitment. Just clarity.

The Code Security Risk Assessment is available to GitHub organization admins and security managers. If that’s not you, this post is still worth reading and sharing: it explains what the assessment reveals and why it’s worth running.

Run your free assessment >

What you’ll learn

The Code Security Risk Assessment scans up to 20 of your most active repositories using CodeQL, GitHub’s industry-leading static analysis engine, and delivers a dashboard summarizing what it finds:

  • Total vulnerabilities found across your scanned repositories, broken down by severity: critical, high, medium, and low
  • Vulnerabilities by language, so you can see which parts of your codebase carry the most risk
  • Rules detected, showing the specific classes of security issues found, how many repositories they affect, and their severity
  • Most vulnerable repositories, helping you identify where to focus remediation first
  • Copilot Autofix eligibility — how many of your vulnerabilities could be automatically fixed with Copilot Autofix, GitHub’s AI-powered remediation tool

The assessment is available to organization admins and security managers on GitHub Enterprise Cloud and GitHub Team plans. It’s completely free — you won’t be charged for any licenses, and the GitHub Actions minutes used for scanning don’t count against your quota.

See how it works. 👇

Completing the security picture

If you’ve already run a Secret Risk Assessment, you know the value of visibility. Since launching last year, the Secret Risk Assessment has helped thousands of organizations understand their exposure to leaked credentials. In 2025 alone, customers using Secret Protection scanned nearly 2 billion pushes and blocked 19 million secret exposures.

The Code Security Risk Assessment brings that same philosophy to vulnerabilities in your source code. Both assessments now run together from a single entry point, with a tabbed interface that lets you switch between your secret exposure and your code vulnerability findings. Together, they give you a unified view of your organization’s security posture—secrets and code—in minutes.

Even if you’re not responsible for running security scans yourself, the results of these assessments can help your team align on where risk exists and what to fix first.

And when you’re ready to act on what you find, each assessment has a corresponding GitHub product designed to help. Secret Protection stops credentials from leaking. Code Security finds and fixes vulnerabilities. The assessments show you why you need them.

From found to fixed

Knowing where your vulnerabilities are is the first step. Fixing them is what actually reduces risk.

That’s where GitHub Code Security and Copilot Autofix change the equation. Across GitHub in 2025:

  • 460,258 security alerts were fixed using Copilot Autofix
  • 50% of vulnerability alerts were resolved directly in pull requests — where developers are already working
  • Mean time to remediation was nearly twice as fast with Copilot Autofix (0.66 hours) compared to manual fixes (1.29 hours)

Your Code Security Risk Assessment results will show you how many of your detected vulnerabilities are eligible for Copilot Autofix — giving you a concrete picture of how quickly you could start reducing risk. When you’re ready, you can enable Code Security directly from the results page with a single click.

Find what you’ve been missing

Whether you have no security scanning in place, you’re evaluating your current tools, or you want a broader view of risk across your organization — the Code Security Risk Assessment meets you where you are.

It’s free. It takes minutes. And what you learn might change how you think about your security posture.


Written by

Dorothy Pearce

Staff Product Manager

Eric Tooley

Senior Product Marketing Manager

Related posts

Explore more from GitHub

Docs

Docs

Everything you need to master GitHub, all in one place.

Go to Docs

GitHub

GitHub

Build what’s next on GitHub, the place for anyone from anywhere to build anything.

Start building

Customer stories

Customer stories

Meet the companies and engineering teams that build with GitHub.

Learn more

The GitHub Podcast

The GitHub Podcast

Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.

Listen now