GitHub has introduced security campaigns for GitHub Advanced Security and GitHub Code Security users, aiming to improve how security risks are managed across codebases. Announced on April 8, security campaigns are designed to help developers and security teams collaborate more efficiently in tackling vulnerabilities. This feature provides a streamlined approach to controlling security debt and reducing the overall risk within applications, enhancing both speed and scalability when addressing security concerns.
One of the key tools supporting security campaigns is the Copilot Autofix code scanning tool. With this tool, security and developer teams can work together to identify and fix vulnerabilities across an entire codebase. By integrating security campaigns into Copilot Autofix, GitHub has made it easier to speed up the vulnerability remediation process. The tool helps automate the identification of issues and suggests fixes, significantly reducing the time it takes to address security vulnerabilities.
Security campaigns with Copilot Autofix had been available in public preview since October 2024, and with its general availability, GitHub has rolled out several key enhancements. One major update is the introduction of draft security campaigns, which allow security managers to refine the scope of their campaigns before finalizing them for developers. Additionally, the new functionality includes the ability to create and track GitHub issues that are automatically updated as the campaign progresses, providing better visibility and control over ongoing security efforts.
Another significant improvement is the ability for security managers to access aggregated statistics on both active and past campaigns, offering a clear overview of progress. Copilot Autofix’s security campaign integration enables security teams to triage and prioritize vulnerabilities more effectively. The tool can generate code suggestions for up to 1,000 scanning alerts at once, improving the overall remediation process. GitHub claims that this feature reduces mean-time to remediation by as much as 60%, making it a valuable addition for teams focused on maintaining secure, high-quality codebases.