GitHub launched the Code Security Risk Assessment, a free, zero-configuration scan that uses CodeQL to analyze up to 20 of your most active repositories. No license required. Organization admins and security managers on GitHub Enterprise Cloud and Team plans can run it from a single entry point. Results break down findings by severity (critical, high, medium, low), by language, by specific vulnerability class, and by repository, giving you a ranked list of where to act first.
The numbers behind this matter. In 2025, Copilot Autofix resolved 460,258 security alerts, cut mean time to remediation from 1.29 hours to 0.66 hours, and closed 50% of vulnerability alerts directly inside pull requests. The assessment tells you upfront how many of your detected vulnerabilities qualify for Autofix, so the gap between found and fixed has a concrete size before you spend a dollar. It also runs alongside the existing Secret Risk Assessment in a tabbed interface, covering both leaked credentials and code vulnerabilities in one session.
The full article is worth reading not for the conclusion but for what it reveals about the philosophy: GitHub is using free, one-click visibility tools as the entry point to paid products (Secret Protection and Code Security), and the 2025 remediation statistics it cites are sourced from real platform-wide data, not estimates. If you are evaluating static analysis tooling or trying to justify a security budget internally, those numbers are the most useful thing here.
[READ ORIGINAL →]