GitHub Adds AI Security Detections for Shell, Terraform, and PHP

TL;DR

• GitHub is pairing CodeQL with AI-powered security detections to catch vulnerabilities in Shell, Bash, Dockerfiles, Terraform, and PHP
• The hybrid system processed 170,000+ findings in 30 days with 80%+ positive developer feedback in internal testing
• Detections surface directly in pull requests alongside CodeQL findings, with Copilot Autofix suggesting remediation
• Public preview launches early Q2 2025 — matters if you're securing multi-language repos beyond traditional enterprise stacks

The Big Picture

Static analysis tools like CodeQL excel at finding vulnerabilities in Java, C#, and JavaScript. But modern repos don't stop there. You've got Bash scripts automating deployments, Terraform managing infrastructure, Dockerfiles defining containers, and legacy PHP powering critical services. Traditional static analysis struggles with these ecosystems — the semantic models are harder to build, the codebases are smaller and more fragmented, and the ROI for deep tooling support hasn't justified the engineering investment.

GitHub's answer is a hybrid detection model: keep CodeQL for deep semantic analysis where it's strong, add AI-powered detections for everything else. This isn't about replacing static analysis. It's about expanding coverage to the parts of your codebase that have been flying under the radar. The system sits inside GitHub Code Security and surfaces findings directly in pull requests, where developers already review code. No new dashboards. No separate workflows. Just more vulnerabilities caught before merge.

The timing matters. AI coding assistants are accelerating development and making it easier for teams to work across more languages. Security teams are now responsible for protecting code they might not have written or even reviewed six months ago. If your detection tooling only covers half your stack, you're securing half your attack surface.

How It Works

When you open a pull request, GitHub Code Security analyzes the diff using whichever detection method fits the code. If it's a language CodeQL supports deeply — like Java, TypeScript, or Go — CodeQL runs its semantic analysis. If it's Shell, Terraform HCL, Dockerfiles, or PHP, the AI-powered detection layer kicks in.

The AI model looks for patterns that indicate security risk: unsafe string-built SQL queries, shell commands constructed from user input, insecure cryptographic algorithms, infrastructure configs that expose sensitive resources. These aren't generic linting warnings. The system is trained to surface actual vulnerabilities, not style violations.

GitHub tested this internally over 30 days and processed more than 170,000 findings. Developer feedback was positive in over 80% of cases, which suggests the signal-to-noise ratio is high enough to be useful in real workflows. That's critical — if developers start dismissing AI-flagged findings as false positives, the whole system loses credibility.

The detections appear in the same pull request interface as CodeQL findings. You see the vulnerability, the affected code, and a suggested fix from Copilot Autofix. Developers can review, test, and apply the fix without leaving the PR. The enforcement layer sits at merge time, so security teams can block risky code from shipping using the same policy controls they already use for CodeQL alerts.

This is part of what GitHub calls its "agentic detection platform" — a broader system that powers security, code quality, and code review across the developer workflow. The architecture is designed to evolve. What starts as expanded coverage today becomes the foundation for deeper AI-augmented static analysis as the models improve and the feedback loop tightens.

The key technical bet here is that AI can generalize across ecosystems faster than traditional static analysis can scale. CodeQL requires building semantic models for each language — a multi-year engineering effort. AI-powered detections can extend to new languages and frameworks with less upfront investment, as long as the training data and feedback mechanisms are strong enough to maintain precision.

What This Changes For Developers

If you're working in a polyglot codebase, this expands the security coverage you get without changing your workflow. You're already opening pull requests. You're already reviewing code scanning alerts. Now those alerts include findings from parts of the stack that weren't covered before.

The practical impact depends on what you're building. If your repo is pure TypeScript with a Node backend, CodeQL already has you covered — the AI detections won't change much. But if you're shipping infrastructure-as-code alongside application logic, or maintaining legacy PHP services, or automating deployments with Shell scripts, you're now getting security feedback on code that was previously invisible to automated tooling.

Copilot Autofix is the other half of this. GitHub reports that Autofix has resolved more than 460,000 security alerts in 2025 so far, with an average resolution time of 0.66 hours compared to 1.29 hours without it. That's a meaningful workflow improvement — not just finding the issue, but getting a suggested fix you can review and apply in the same context.

The enforcement angle matters for teams with compliance requirements. If your security policy requires all high-severity vulnerabilities to be fixed before merge, you can now enforce that policy across a wider range of languages and frameworks. The merge gate doesn't care whether the finding came from CodeQL or AI-powered detection — it just blocks the PR until the issue is resolved.

For security teams, this reduces the gap between what you're responsible for securing and what your tooling actually covers. You're not chasing down Shell script vulnerabilities in post-merge audits. You're catching them in the pull request, where the developer who wrote the code is still in context and can fix it quickly.

Try It Yourself

The public preview launches in early Q2 2025. If you're already using GitHub Advanced Security, the AI-powered detections will roll out as part of GitHub Code Security — no separate product to enable. You'll see the findings appear in pull requests alongside existing CodeQL alerts.

If you want to see it in action before the public preview, GitHub is demoing the system at RSAC 2025 in booth #2327. The demo shows how hybrid detection, Copilot Autofix, and policy enforcement work together in the pull request workflow.

For teams evaluating this, the key question is whether your codebase includes languages and frameworks that CodeQL doesn't cover deeply. If you're shipping Terraform configs, Dockerfiles, or Shell scripts in production, this expands your security coverage in areas that were previously manual review only. If your stack is already fully covered by CodeQL, the incremental value is lower — though the agentic detection platform architecture suggests this is the foundation for future capabilities, not just a one-time coverage expansion.

The Bottom Line

Use this if you're securing multi-language repos with infrastructure-as-code, containerization, or scripting layers that traditional static analysis doesn't cover well. The hybrid model gives you broader coverage without fragmenting your security workflow across multiple tools. Skip it if your entire stack is already covered by CodeQL and you don't need AI-augmented detections for edge-case languages.

The real risk here is false positive fatigue. If the AI detections surface too many low-confidence findings, developers will start ignoring them, and the system loses credibility. GitHub's internal testing shows 80%+ positive feedback, which is a strong signal — but that's internal usage with tight feedback loops. The public preview will reveal whether that quality holds across diverse codebases and team workflows.

The real opportunity is closing the coverage gap between what security teams are responsible for and what their tooling actually scans. If you're already enforcing security policies at merge time with GitHub Actions and CodeQL, this extends that enforcement to the parts of your codebase that were previously invisible. That's a meaningful shift — not just more detections, but more consistent security outcomes across your entire stack.

Source: GitHub Blog