GitHub is linking developers with security pros to reduce the number of vulnerabilities that may be hiding in code that already is in workflows.
The highly popular Microsoft-owned code repository this week said its security campaigns, which were released in public preview in October 2024, are now generally available to GitHub Advanced Security and GitHub Code Security developers.
The AI-powered tool is the latest step by GitHub to help developers address security issues that can accumulate in fast-paced CI/CD development processes – what’s called the security debt. GitHub in 2023 built Copilot Autofix into pull requests, which the company said allowed programming teams to address vulnerabilities and other security issues 60% faster, which reduced the critical mean time to remediation (MTTR) compared to manual efforts.
“Autofix helps you catch vulnerabilities before they ever make it into production, so you spend less time fixing bugs and more time coding,” James Fletcher, a project manager at GitHub, wrote in a blog post. “But what about the vulnerabilities already lurking in your existing code? Every unresolved security finding adds to your security debt – a growing risk you can’t afford to ignore.”
Fletcher wrote that development teams typically address only 10% of the security issues in their code, leaving 90% of them unresolved.
The Problem with Vulnerabilities
Cloud security firm Wiz, in its State of Code Security 2025 report, found that while code vulnerabilities remain a high security risk, many companies don’t secure their CI/CD pipelines or repositories. The company – which Google is buying for $32 billion – said that 80% of GitHub workflows have insecure permissions, which can allow bad actors to make unauthorized modifications.
That’s where GitHub’s security campaigns come in.
“Security campaigns bridge this gap by bringing security experts and developers together, streamlining the vulnerability remediation process right within your workflow, and at scale,” Fletcher wrote.
AI at the Core
The security campaigns rely on GitHub Copilot Autofix to create code suggestions for up to 1,000 of the alerts that code scans create. Security teams can use the suggestions to triage and prioritize the alerts while developers that that information and address the issues with Autofix. Because the recommendations are delivered to developers in GitHub, they can be incorporated into the process like any other feature of the work.
Included in the campaigns are notifications to developers to let them know which alert they or their team is responsible for, as well as a manager appointed to oversee the process.
In addition, developers can select a group of alerts that are closely related, which lets developers use what they learn by addressing one alert to fix others. Also, developers can use the REST API to more easily interact with campaigns at scale.
Addressing a Critical Need
It’s a step that can’t be missed in programming, he wrote.
“Triaging and prioritizing security problems already present in a codebase has to happen as part of the normal software development lifecycle,” Fletcher wrote. “Unfortunately, when product teams are under pressure to ship faster, they often don’t have enough time to dig through their security alerts to decide which ones to address first. Luckily, in most software organizations, there is already a group of people who are experts in understanding these risks: the security team.”
GitHub found through the early work with security campaigns by some companies that 55% of the alerts included in them were fixed, compared with the 10% that were fixed in situations outside of the process.
“This shows that when alerts are included in a campaign, you can spend more time fixing the security debt, since the prioritization of which alerts to work on has already been taken care of by your security team,” Fletcher wrote.
