Run your free Code Security Risk Assessment, or to learn more, read the docs.
This tool provides immediate visibility into hidden security risks without financial or setup barriers. By identifying vulnerabilities and AI-driven remediation opportunities, engineers can proactively reduce technical debt and secure their codebase before exploits occur.
Most security leaders share the same suspicion: there are vulnerabilities in our codebase that we don’t know about.
The uncomfortable truth is that most code never gets a thorough security review. Vulnerabilities accumulate quietly in active repositories, across languages and teams, often undetected until something goes wrong. And if you’re relying on manual reviews or narrowly scoped tools, the gaps may be wider than you think.
Today, we’re introducing the Code Security Risk Assessment: a free, one-click scan that reveals vulnerabilities hiding in your organization’s code. No license required. No configuration. No commitment. Just clarity.
The Code Security Risk Assessment is available to GitHub organization admins and security managers. If that’s not you, this post is still worth reading and sharing: it explains what the assessment reveals and why it’s worth running.
The Code Security Risk Assessment scans up to 20 of your most active repositories using CodeQL, GitHub’s industry-leading static analysis engine, and delivers a dashboard summarizing what it finds:
The assessment is available to organization admins and security managers on GitHub Enterprise Cloud and GitHub Team plans. It’s completely free — you won’t be charged for any licenses, and the GitHub Actions minutes used for scanning don’t count against your quota.
See how it works. 👇
If you’ve already run a Secret Risk Assessment, you know the value of visibility. Since launching last year, the Secret Risk Assessment has helped thousands of organizations understand their exposure to leaked credentials. In 2025 alone, customers using Secret Protection scanned nearly 2 billion pushes and blocked 19 million secret exposures.
The Code Security Risk Assessment brings that same philosophy to vulnerabilities in your source code. Both assessments now run together from a single entry point, with a tabbed interface that lets you switch between your secret exposure and your code vulnerability findings. Together, they give you a unified view of your organization’s security posture—secrets and code—in minutes.
Even if you’re not responsible for running security scans yourself, the results of these assessments can help your team align on where risk exists and what to fix first.
And when you’re ready to act on what you find, each assessment has a corresponding GitHub product designed to help. Secret Protection stops credentials from leaking. Code Security finds and fixes vulnerabilities. The assessments show you why you need them.
Knowing where your vulnerabilities are is the first step. Fixing them is what actually reduces risk.
That’s where GitHub Code Security and Copilot Autofix change the equation. Across GitHub in 2025:
Your Code Security Risk Assessment results will show you how many of your detected vulnerabilities are eligible for Copilot Autofix — giving you a concrete picture of how quickly you could start reducing risk. When you’re ready, you can enable Code Security directly from the results page with a single click.
Whether you have no security scanning in place, you’re evaluating your current tools, or you want a broader view of risk across your organization — the Code Security Risk Assessment meets you where you are.
It’s free. It takes minutes. And what you learn might change how you think about your security posture.
Run your free Code Security Risk Assessment, or to learn more, read the docs.
The post How exposed is your code? Find out in minutes—for free appeared first on The GitHub Blog.
Continue reading on the original blog to support the author
Read full articleLegal and policy shifts regarding copyright liability and age assurance directly impact how engineers build, share, and secure software. These updates ensure that neutral infrastructure and security research remain protected from broad regulations that could stifle open-source innovation.
GitHub Universe is a premier event for engineers to showcase technical achievements and learn about the latest in AI-driven development and security. It offers a unique opportunity to influence the community and discover tools that accelerate the software development lifecycle.
Open source maintainers face increasing burnout from automated security reports and AI-driven exploits. This investment provides the funding, AI tools, and reporting infrastructure needed to secure the global software supply chain without overwhelming the people who build it.
Securing the open-source supply chain is critical as a single vulnerability can impact thousands of downstream systems. This initiative provides the resources and training necessary to harden the libraries and tools that form the bedrock of modern AI and cloud infrastructure.