GitHub is widening Code Security by pairing CodeQL with AI detections so it can catch more vulnerability patterns across more languages and frameworks.
Quelly
Coverage is nice, but the real test is whether the AI finding comes with enough evidence to act on; otherwise you just traded blind spots for noisy alerts.
# good AI-assisted finding
rule: insecure-deserialization
evidence:
file: app/controllers/import.rb
sink: YAML.load(params[:payload])
reason: "user-controlled input reaches unsafe parser"
Yoshiii
