Trending News: Introducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production DeploymentsCelebrating Microsoft’s 50 yearsVibe coding with GitHub Copilot: Agent mode and MCP support rolling out to all VS Code usersSay Hello to Your New Colleague, the AI AgentYour AI CompanionThe latest AI news we announced in MarchStart building with Gemini 2.5 Pro.How Enterprise General Intelligence (EGI) Will Form a New Business ImperativeThese new features help you easily get started creating YouTube Shorts.3 ways to level up your studying with NotebookLMLocalhost dangers: CORS and DNS rebindingWhy Customers Say Unified Data Is Critical for AI AgentsThe Kindergarten Test: How AI Will Free Workers from DrudgeryNintendo Switch 2 Leveled Up With NVIDIA AI-Powered DLSS and 4K GamingNVIDIA Showcases Real-Time AI and Intelligent Media Workflows at NABFrom Browsing to Buying: How AI Agents Enhance Online ShoppingDiscover STEM stories from the Science Museum Group on Google Arts & Culture.4 ways media and entertainment companies are using GeminiRead Google DeepMind’s new paper on responsible artificial general intelligence (AGI).No Foolin’: GeForce NOW Gets 21 Games in AprilDiscover STEM stories from the Science Museum Group on Google Arts & CultureGoogle’s pro-innovation proposals for the UK copyright frameworkA practical approach to creative content and AI trainingNew in NotebookLM: Discover sources from around the webA New Definition of Smart: Agentic AI’s Impact on Critical ThinkingSpeed Demon: NVIDIA Blackwell Takes Pole Position in Latest MLPerf Inference ResultsNVIDIA’s Jacob Liberman on Bringing Agentic AI to EnterprisesA palace of art online: Discover the Farnesina CollectionHere’s how to watch this year’s Coachella music festival on YouTube.NVIDIA GeForce RTX 50 Series Accelerates Adobe Premiere Pro and Media Encoder’s 4:2:2 Color SamplingFinding answers, building hopeMeet the AWS News Blog team!How we built the new family of Gemini Robotics modelsGitHub found 39M secret leaks in 2024. Here’s what we’re doing to helpImmersive ads are expanding, starting with a new partnership between Ad Manager and Roblox.Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpointsAccelerate operational analytics with Amazon Q Developer in Amazon OpenSearch ServiceIndustrial Ecosystem Adopts Mega NVIDIA Omniverse Blueprint to Train Physical AI in Digital TwinsAWS Weekly Roundup: Amazon Bedrock, Amazon QuickSight, AWS Amplify, and more (March 31, 2025)Google Slides now uses Imagen 3 and adds other new visual tools.GitHub for Beginners: How to get LLMs to do what you wantThe Rise of AI Developer Tools: A New Era in Code and CollaborationThe newest recipients of Google.org’s AI Opportunity FundHere’s how we’re helping developers build safer apps more efficiently on Google Play and Android.Listen to our podcast episode all about Gemini 2.5.
Sun. Apr 13th, 2025
Trending News: Introducing sub-issues: Enhancing issue management on GitHub9 business leaders on what’s possible with Google AIWhat the heck is MCP and why is everyone talking about it?The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AIBeyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design6 highlights from Google Cloud Next 25Pixel 9a’s 3 big design updatesAnnouncing up to 85% price reductions for Amazon S3 Express One ZoneHow we’re making security easier for the average developerA short film program to explore AI on screenPixel 9a is available now.The Agentic Maturity Model: A 4-Step Roadmap for CIOs to Succeed in the Agentic Era(AI)ways a Cut Above: GeForce RTX 50 Series Accelerates New DaVinci Resolve 20 Studio Video Editing SoftwareMyth and Mystery Await: GeForce NOW Brings ‘South of Midnight’ to the Cloud at LaunchPixel 9a is available nowServing up tennis history with magazine archives and NotebookLMNVIDIA Celebrates Partners of the Year Advancing AI in Europe, Middle East and AfricaOur investment in AI-powered solutions for the electric gridHow to request a change to a CVE record‘Black Women in Artificial Intelligence’ Founder Talks AI Education and EmpowermentGoogle Cloud Next 25: New AI capabilities to transform your businessSalesforce Brings Agentic AI to the Field Service Sector to Tackle Scheduling, Reporting, and On-the-Job TroubleshootingHow Agentforce Automates Field Service Tasks, Easing Skilled Labor Shortage StrainTradespeople, Techs Waste Nearly a Full Day’s Work Weekly on Paperwork, 81% Think AI Agents Can HelpNVIDIA Brings Agentic AI Reasoning to Enterprises With Google CloudIronwood: The first Google TPU for the age of inferenceGoogle Cloud: the platform for scientific discoveryGoogle Workspace adds new AI tools to Docs, Sheets, Chat and more.Check out the latest features from Google Agentspace at Google Cloud Next.New video, image, speech and music generative AI tools are coming to Vertex AI.Here’s what’s new with our Google Cloud AI Hypercomputer.Google Cloud Next 25The AI magic behind Sphere’s upcoming ‘The Wizard of Oz’ experienceIntroducing Amazon Nova Sonic: Human-like voice conversations for generative AI applicationsAWS announces Pixtral Large 25.02 model in Amazon Bedrock serverlessDeep Research is now available on Gemini 2.5 Pro Experimental.We’re introducing a new way to analyze geospatial data.Found means fixed: Reduce security debt at scale with GitHub security campaigns‘Bazooka Innovation’ for Professional Services: How Certinia and Agentforce Drive Customer SuccessAdding AI to Workflows? Here’s What Indeed Has LearnedAmazon Bedrock Guardrails enhances generative AI application safety with new capabilitiesVisit Brazil’s Piratini Palace virtually on Google Arts & Culture.The AI opportunity for Europe’s climate goalsGit turns 20: A Q&A with Linus TorvaldsAmazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videosAWS Weekly Review: Amazon EKS, Amazon OpenSearch, Amazon API Gateway, and more (April 7, 2025)The Changing Role of Developers in the Age of AI Agents“Bazooka Innovation” for Professional Services: How Certinia and Agentforce are Driving Customer SuccessBringing multimodal search to AI ModeNew AI-powered experiments from Google Arts & Culture Artists in Residence5 ways to use Gemini Live with camera and screen sharingNew ways AI helps keep business information trustworthyQuantum computing education for global policy leaders25 startups using AI to transform healthcareNational Robotics Week — Latest Physical AI Research, Breakthroughs and ResourcesCopado and Agentforce: Automating Release Notes and Accelerating Production DeploymentsCelebrating Microsoft’s 50 yearsVibe coding with GitHub Copilot: Agent mode and MCP support rolling out to all VS Code usersSay Hello to Your New Colleague, the AI AgentYour AI CompanionThe latest AI news we announced in MarchStart building with Gemini 2.5 Pro.How Enterprise General Intelligence (EGI) Will Form a New Business ImperativeThese new features help you easily get started creating YouTube Shorts.3 ways to level up your studying with NotebookLMLocalhost dangers: CORS and DNS rebindingWhy Customers Say Unified Data Is Critical for AI AgentsThe Kindergarten Test: How AI Will Free Workers from DrudgeryNintendo Switch 2 Leveled Up With NVIDIA AI-Powered DLSS and 4K GamingNVIDIA Showcases Real-Time AI and Intelligent Media Workflows at NABFrom Browsing to Buying: How AI Agents Enhance Online ShoppingDiscover STEM stories from the Science Museum Group on Google Arts & Culture.4 ways media and entertainment companies are using GeminiRead Google DeepMind’s new paper on responsible artificial general intelligence (AGI).No Foolin’: GeForce NOW Gets 21 Games in AprilDiscover STEM stories from the Science Museum Group on Google Arts & CultureGoogle’s pro-innovation proposals for the UK copyright frameworkA practical approach to creative content and AI trainingNew in NotebookLM: Discover sources from around the webA New Definition of Smart: Agentic AI’s Impact on Critical ThinkingSpeed Demon: NVIDIA Blackwell Takes Pole Position in Latest MLPerf Inference ResultsNVIDIA’s Jacob Liberman on Bringing Agentic AI to EnterprisesA palace of art online: Discover the Farnesina CollectionHere’s how to watch this year’s Coachella music festival on YouTube.NVIDIA GeForce RTX 50 Series Accelerates Adobe Premiere Pro and Media Encoder’s 4:2:2 Color SamplingFinding answers, building hopeMeet the AWS News Blog team!How we built the new family of Gemini Robotics modelsGitHub found 39M secret leaks in 2024. Here’s what we’re doing to helpImmersive ads are expanding, starting with a new partnership between Ad Manager and Roblox.Amazon API Gateway now supports dual-stack (IPv4 and IPv6) endpointsAccelerate operational analytics with Amazon Q Developer in Amazon OpenSearch ServiceIndustrial Ecosystem Adopts Mega NVIDIA Omniverse Blueprint to Train Physical AI in Digital TwinsAWS Weekly Roundup: Amazon Bedrock, Amazon QuickSight, AWS Amplify, and more (March 31, 2025)Google Slides now uses Imagen 3 and adds other new visual tools.GitHub for Beginners: How to get LLMs to do what you wantThe Rise of AI Developer Tools: A New Era in Code and CollaborationThe newest recipients of Google.org’s AI Opportunity FundHere’s how we’re helping developers build safer apps more efficiently on Google Play and Android.Listen to our podcast episode all about Gemini 2.5.
Sun. Apr 13th, 2025

Found means fixed: Reduce security debt at scale with GitHub security campaigns


We get it: you’d rather spend your time shipping features than chasing security alerts. That’s why we’ve built tools like Copilot Autofix directly into pull requests, enabling teams to remediate security issues up to 60% faster, significantly reducing Mean Time to Remediation (MTTR) compared to manual fixes. Autofix helps you catch vulnerabilities before they ever make it into production, so you spend less time fixing bugs and more time coding.

But what about the vulnerabilities already lurking in your existing code? Every unresolved security finding adds to your security debt—a growing risk you can’t afford to ignore. In fact, our data shows that teams typically address only 10% of their security debt, leaving 90% of vulnerabilities unprioritized and unresolved.

A graphic showing that with security campaigns, 55% of security debt is fixed by developers compared to around only 10% of security debt without security campaigns.

Our data shows that security debt is the biggest unaddressed risk that customers face: historically, only 10% of lingering security debt in merged code gets addressed, meaning until today, 90% of risks did not get prioritized. Now, our data shows that 55% of security debt included in security campaigns is fixed.

Security campaigns bridge this gap by bringing security experts and developers together, streamlining the vulnerability remediation process right within your workflow, and at scale. Using Copilot Autofix to generate code suggestions for up to 1,000 code scanning alerts at a time, security campaigns help security teams take care of triage and prioritization, while you can quickly resolve issues using Autofix—without breaking your development momentum.

Security campaigns in action

Since security campaigns were launched in public preview at GitHub Universe last year, we have seen organizations at all different stages of their security journey try them out. Whether they’ve been used to reduce security debt across an entire organization or to target alerts in critical repositories, security campaigns have delivered value for both developers and security teams in their efforts to tackle security debt.

Security campaigns simplify life for our developers. They can easily group alerts from multiple repositories, reducing time spent on triage and prioritization while quickly remediating the most critical issues with the help of Copilot Autofix.

– Jose Antonio Moreno, DevSecOps engineer, Lumen

GitHub security campaigns is a game-changer for our development teams. It’s educated us about existing vulnerabilities, brought our engineers together to collaboratively tackle fixes, and significantly improved our remediation time.

– GP, security engineer, Alchemy

In a sample of early customers, we found that 55% of alerts included in security campaigns were fixed, compared to around only 10% of security debt outside security campaigns, a 5.5x improvement. This shows that when alerts are included in a campaign, you can spend more time fixing the security debt, since the prioritization of which alerts to work on has already been taken care of by your security team. In fact, our data shows that alerts in campaigns get roughly twice as much developer engagement than those outside of campaigns.

Security campaigns: how they work

Triaging and prioritizing security problems already present in a codebase has to happen as part of the normal software development lifecycle. Unfortunately, when product teams are under pressure to ship faster, they often don’t have enough time to dig through their security alerts to decide which ones to address first. Luckily, in most software organizations, there is already a group of people who are experts in understanding these risks: the security team. With security campaigns, we play to the different strengths of developers and security teams in a new collaborative approach to addressing security debt.

  1. Security teams prioritize which risks need to be addressed across their repositories in a security campaign. Security campaigns come with predefined templates based on commonly used themes (such as the MITRE top 10 known exploited vulnerabilities) to help scope the campaign. GitHub’s security overview also provides statistics and metrics summarizing the overall risk landscape.
  2. Once the campaign alerts are selected and a timeline is specified, the campaign is communicated to any developers who are impacted by the campaign. The work defined in a campaign is brought to developers where they work on GitHub, so that it can be planned and managed just like any other feature work.

    A screenshot showing a SQL injection security campaign in progress on GitHub.

  3. Copilot Autofix immediately starts suggesting automatic remediations for all alerts in a campaign, as well as custom help text to explain the problems. Fixing an alert becomes as easy as reviewing a diff and creating a pull request.

Crucially, security campaigns are not just lists of alerts. Alongside the alerts, campaigns are complemented with notifications to ensure that developers are aware of which alert they (or their team) are responsible for. To foster stronger collaboration between developers and the security team, campaigns also have an appointed manager to oversee the campaign progress and be on hand to assist developers. And of course: security managers have an organization-level view on GitHub to track progress and collaborate with developers as needed.

Starting today, you can also access several new features to plan and manage campaign-related work more effectively:

  • Draft security campaigns: security managers can now iterate on the scope of campaigns and save them as draft campaigns before making them available to developers. With draft campaigns, security managers can ensure that the highest priority alerts are included before the work goes live.
  • Automated GitHub Issues: security managers can optionally create GitHub Issues in repositories that have alerts included in the campaign. These issues are created and updated automatically as the campaign progresses and can be used by teams to track, manage and discuss campaign-related work.
  • Organization-level security campaign statistics: security managers can now view aggregated statistics showing the progress across all currently-active and past campaigns.

For more information about using security campaigns, see About security campaigns in the GitHub documentation.

Tags:

Written by

Blog Article: Here

    • Ascendant Bot

    Related Posts

    Introducing sub-issues: Enhancing issue management on GitHub
    Introducing sub-issues: Enhancing issue management on GitHub

    Explore the iterative development journey of GitHub’s sub-issues feature. Learn how we leveraged sub-issues to build and refine sub-issues, breaking down larger tasks into smaller, manageable ones.

    The post Introducing sub-issues: Enhancing issue management on GitHub appeared first on The GitHub Blog.

    Continue reading
    What the heck is MCP and why is everyone talking about it?
    What the heck is MCP and why is everyone talking about it?

    Everyone’s talking about MCP these days when it comes to large language models (LLMs)—here’s what you need to know.

    The post What the heck is MCP and why is everyone talking about it? appeared first on The GitHub Blog.

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Engineering GitHub GitHub Issues How GitHub builds GitHub NVIDIA Hopper Architecture

    Introducing sub-issues: Enhancing issue management on GitHub

    Introducing sub-issues: Enhancing issue management on GitHub
    Google Google Cloud

    9 business leaders on what’s possible with Google AI

    9 business leaders on what’s possible with Google AI
    agentic AI GitHub GitHub Copilot LLM LLMs Model Context Protocol Open Source Open Standards

    What the heck is MCP and why is everyone talking about it?

    What the heck is MCP and why is everyone talking about it?
    Salesforce Uncategorized

    The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AI

    The AI Paradox: Untangling Employee Hesitation to Unleash Agentic AI
    Artificial Intelligence Enterprise software Generative AI In the NVIDIA Studio Into the Omniverse NVIDIA Inception

    Beyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design

    Beyond CAD: How nTop Uses AI and Accelerated Computing to Enhance Product Design
    Google Google Cloud

    6 highlights from Google Cloud Next 25

    6 highlights from Google Cloud Next 25