Staff Product Manager
Most security leaders share the same suspicion: there are vulnerabilities in our codebase that we don’t know about.
The uncomfortable truth is that most code never gets a thorough security review. Vulnerabilities accumulate quietly in active repositories, across languages and teams, often undetected until something goes wrong. And if you’re relying on manual reviews or narrowly scoped tools, the gaps may be wider than you think.
Today, we’re introducing the Code Security Risk Assessment: a free, one-click scan that reveals vulnerabilities hiding in your organization’s code. No license required. No configuration. No commitment. Just clarity.
The Code Security Risk Assessment is available to GitHub organization admins and security managers. If that’s not you, this post is still worth reading and sharing: it explains what the assessment reveals and why it’s worth running.
The Code Security Risk Assessment scans up to 20 of your most active repositories using CodeQL, GitHub’s industry-leading static analysis engine, and delivers a dashboard summarizing what it finds:
The assessment is available to organization admins and security managers on GitHub Enterprise Cloud and GitHub Team plans. It’s completely free — you won’t be charged for any licenses, and the GitHub Actions minutes used for scanning don’t count against your quota.
See how it works. 👇
If you’ve already run a Secret Risk Assessment, you know the value of visibility. Since launching last year, the Secret Risk Assessment has helped thousands of organizations understand their exposure to leaked credentials. In 2025 alone, customers using Secret Protection scanned nearly 2 billion pushes and blocked 19 million secret exposures.
The Code Security Risk Assessment brings that same philosophy to vulnerabilities in your source code. Both assessments now run together from a single entry point, with a tabbed interface that lets you switch between your secret exposure and your code vulnerability findings. Together, they give you a unified view of your organization’s security posture—secrets and code—in minutes.
Even if you’re not responsible for running security scans yourself, the results of these assessments can help your team align on where risk exists and what to fix first.
And when you’re ready to act on what you find, each assessment has a corresponding GitHub product designed to help. Secret Protection stops credentials from leaking. Code Security finds and fixes vulnerabilities. The assessments show you why you need them.
Knowing where your vulnerabilities are is the first step. Fixing them is what actually reduces risk.
That’s where GitHub Code Security and Copilot Autofix change the equation. Across GitHub in 2025:
Your Code Security Risk Assessment results will show you how many of your detected vulnerabilities are eligible for Copilot Autofix — giving you a concrete picture of how quickly you could start reducing risk. When you’re ready, you can enable Code Security directly from the results page with a single click.
Whether you have no security scanning in place, you’re evaluating your current tools, or you want a broader view of risk across your organization — the Code Security Risk Assessment meets you where you are.
It’s free. It takes minutes. And what you learn might change how you think about your security posture.
Staff Product Manager
Senior Product Marketing Manager
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。
