GitHub has officially launched its security campaigns feature, making it generally available to all users of GitHub
Advanced Security and GitHub Code Security. Originally introduced in public preview in October 2024, this new feature is designed to improve collaboration between developers and security teams in addressing vulnerabilities within their applications.
While GitHub has long offered tools like CodeQL for automated vulnerability discovery and Copilot Autofix to help fix those issues, a recent analysis revealed that only a small fraction of identified vulnerabilities is actually being resolved. The rest accumulate, increasing an organization's overall security debt.
Security campaigns aim to change this by making the vulnerability remediation process more structured and collaborative. During the public preview phase, these campaigns led to 55% of prioritized security debt being resolved by developers—an impressive improvement compared to the 10% resolution rate when the feature wasn’t used.
The security campaign process is broken into three main phases. First, security teams use predefined templates to identify and prioritize common types of vulnerabilities, then select specific alerts and set a timeline for remediation. Next, developers affected by the campaign are notified and the alerts are integrated into their workflow, allowing them to plan and manage remediation tasks alongside their usual work.
Copilot Autofix also supports these campaigns by providing automated suggestions for resolving the identified vulnerabilities. Importantly, GitHub emphasizes that security campaigns are more than just a list of alerts. Developers receive specific notifications detailing which alerts they or their teams are responsible for, ensuring accountability and clear direction.
Each campaign includes a designated manager who oversees progress and supports developers, while security managers have access to an organization-wide dashboard to track campaign outcomes and collaborate across teams. Overall, security campaigns represent a strategic move to reduce security debt and enhance the effectiveness of both development and security teams within organizations.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
