GitHub's Free Code Scan

Most security leaders suspect unknown vulnerabilities lurk within their codebases. Manual reviews and narrowly scoped tools often miss these accumulated flaws, leaving organizations exposed. Addressing this blind spot, GitHub is now offering a free Code Security Risk Assessment, providing a one-click view of potential vulnerabilities.

This new assessment is available to GitHub organization admins and security managers, requiring no license, configuration, or commitment. It utilizes GitHub's CodeQL, a leading static analysis engine, to scan up to 20 of an organization's most active repositories.

What the Assessment Reveals

The output is a dashboard summarizing key security findings.

• Total vulnerabilities across scanned repositories, categorized by severity (critical, high, medium, low).
• Vulnerabilities broken down by programming language.
• Specific security rules detected, their affected repositories, and severity.
• Identification of the most vulnerable repositories for focused remediation.
• Copilot Autofix eligibility, indicating how many vulnerabilities could be automatically addressed.

The assessment is accessible on GitHub Enterprise Cloud and GitHub Team plans, with no charges for licenses or GitHub Actions minutes used during the scan.

Integrating Security Visibility

This initiative builds upon the success of the Secret Risk Assessment, which has helped organizations identify leaked credentials. Last year alone, customers using Secret Protection scanned nearly 2 billion pushes and blocked 19 million secret exposures.

The Code Security Risk Assessment extends this visibility to source code vulnerabilities. Both assessments can now be run from a single interface, offering a unified view of an organization's security posture, covering both secrets and code.

This unified approach helps teams align on risk areas and prioritize fixes, even if they aren't directly responsible for running the scans.

From Discovery to Remediation

Identifying vulnerabilities is the first step; fixing them is crucial for risk reduction. GitHub's tools aim to bridge this gap.

In 2025, 460,258 security alerts were resolved using Copilot Autofix. Fifty percent of vulnerability alerts were fixed directly within pull requests, and the mean time to remediation was nearly halved with Copilot Autofix compared to manual fixes.

The Code Security Risk Assessment directly shows how many detected vulnerabilities are eligible for Copilot Autofix, offering a concrete path to faster risk reduction. Users can enable GitHub Code Security directly from the results page.

Whether an organization lacks existing security scanning, is evaluating current tools, or seeks a broader risk overview, the free assessment provides immediate insights.