GitHub's Free Code Security Scan: Find Vulnerabilities Fast

TL;DR

• GitHub now offers a free, one-click Code Security Risk Assessment that scans up to 20 repositories using CodeQL
• Get a complete vulnerability breakdown by severity, language, and repository — plus see how many issues Copilot Autofix can handle automatically
• No license required, no configuration, and scanning doesn't count against your Actions quota
• Available to org admins and security managers on GitHub Enterprise Cloud and Team plans

The Big Picture

Most codebases are sitting on vulnerabilities nobody knows about. Not because teams don't care about security — but because manual reviews don't scale and most scanning tools require setup, licensing, and ongoing maintenance before you see a single result.

GitHub's new Code Security Risk Assessment flips that model. It's a free, zero-config scan that runs CodeQL against your 20 most active repositories and delivers a dashboard showing exactly where your vulnerabilities are. No trial period. No credit card. No Actions minutes deducted from your quota.

This isn't a marketing gimmick. It's a genuine attempt to lower the barrier to security visibility. If you're an organization admin or security manager on GitHub Enterprise Cloud or Team, you can run this assessment right now and get results in minutes. If you're not in that role, this is still worth understanding — because the data it surfaces can change how your team prioritizes security work.

The assessment builds on GitHub's existing Secret Risk Assessment, which has helped thousands of orgs understand credential exposure since launch. Together, they give you a unified view of two critical attack surfaces: leaked secrets and code vulnerabilities. Both run from the same entry point, with a tabbed interface that lets you switch between findings.

How It Works

The Code Security Risk Assessment uses CodeQL, the same static analysis engine that powers GitHub Advanced Security. CodeQL is a semantic code analysis tool — it doesn't just pattern-match. It builds a queryable database of your code's structure and data flow, then runs security queries against it to find real vulnerabilities.

When you trigger the assessment, GitHub automatically selects up to 20 of your most active repositories and runs a full CodeQL scan. No configuration files to write. No workflow YAML to debug. The scan runs in GitHub's infrastructure, and the minutes don't count against your Actions quota.

The results dashboard breaks down findings across five dimensions:

• Total vulnerabilities by severity — critical, high, medium, and low. This gives you an immediate sense of exposure and helps prioritize remediation.
• Vulnerabilities by language — see which parts of your stack carry the most risk. If your Python repos are clean but your JavaScript code is flagging dozens of issues, that tells you where to focus.
• Rules detected — the specific classes of security issues found (SQL injection, XSS, path traversal, etc.), how many repos they affect, and their severity. This is where you start to see patterns.
• Most vulnerable repositories — ranked by issue count and severity. This is your remediation roadmap.
• Copilot Autofix eligibility — how many of your vulnerabilities can be automatically fixed with Copilot Autofix. This number matters because it tells you how much of the remediation work can be automated.

The assessment runs alongside the Secret Risk Assessment, which scans for leaked credentials. Both are accessible from a single dashboard with tabbed navigation. If you've already run the secret scan, your code scan results will appear in a new tab. If you haven't, you can run both at once.

GitHub has been running Secret Protection at scale — in 2025 alone, customers scanned nearly 2 billion pushes and blocked 19 million secret exposures. The Code Security Risk Assessment brings that same philosophy to source code vulnerabilities.

What This Changes For Developers

Security scanning has always had a chicken-and-egg problem. You need visibility to justify investment in security tooling, but you need tooling to get visibility. This assessment breaks that loop.

For teams with no security scanning in place, this is a zero-friction entry point. You get a concrete picture of risk without committing to a product or a budget. For teams already using security tools, this is a second opinion — a way to validate coverage and find gaps.

The Copilot Autofix eligibility metric is particularly useful. GitHub's data shows that Copilot Autofix cuts mean time to remediation nearly in half — 0.66 hours versus 1.29 hours for manual fixes. Across GitHub in 2025, developers fixed 460,258 security alerts using Autofix, and 50% of vulnerability alerts were resolved directly in pull requests.

That last stat matters. Developers don't want to context-switch into a separate security dashboard, triage issues, and then go back to their IDE to fix them. They want to fix vulnerabilities where they're already working — in the PR. The assessment shows you how many of your issues can follow that workflow.

If you decide to enable Code Security after running the assessment, you can do it with a single click from the results page. No procurement process. No multi-week onboarding. You go from assessment to active scanning in seconds.

What You'll Actually See

The assessment doesn't just dump a list of CVEs. It gives you context.

You'll see which repositories have the highest concentration of critical and high-severity issues. You'll see which vulnerability classes are most common in your codebase — maybe you have a SQL injection problem, or maybe it's all XSS. You'll see which languages are contributing the most risk.

This is actionable data. If you're a security manager, you can use it to justify headcount or tooling budget. If you're a team lead, you can use it to prioritize refactoring work. If you're an IC, you can use it to make the case for fixing tech debt instead of shipping the next feature.

The assessment also surfaces how many of your vulnerabilities are eligible for Copilot Autofix. This isn't a theoretical number — it's based on the actual rules CodeQL detected and the fix patterns Copilot has been trained on. If the dashboard says 200 of your 300 vulnerabilities are autofix-eligible, that's a real estimate of how much remediation work you can offload.

The Bottom Line

Run this assessment if you're an org admin or security manager on GitHub Enterprise Cloud or Team. It takes minutes and costs nothing. Skip it if you're on a free or Pro plan — it's not available to you yet.

The real value here isn't the scan itself. It's the decision-making data. You'll know which repos are the riskiest, which vulnerability classes are most common, and how much of the fix work can be automated. That's enough to either justify enabling Code Security or to validate that your current tooling is working.

The risk isn't running the assessment and finding issues. The risk is not running it and assuming you're fine.

Source: GitHub Blog