GitHub Code Quality in public preview

[ebndev]

GitHub Code Quality is now available in public preview! It turns every pull request into an opportunity to improve. With in-context findings, one-click Copilot fixes, and reliability and maintainability scores, you spend less time chasing nits and more time building. It’s there when you need it most, surfacing quality issues both in the pull request and the backlog so you can fix technical debt on your schedule.

Who this is for

Developers and engineering teams who want in‑context feedback about the quality of their code and an easier way to turn technical debt into reviewable fixes.

Highlights

• One-click enablement: Try GitHub Code Quality quickly and easily.
• Actionable findings: CodeQL-based quality rules detect maintainability and reliability issues in Java, C#, Python, JavaScript, Go, and Ruby.
• Reviews in context: See quality findings directly in the pull request with guidance you can immediately act on.
• Track progress with quality scores: Quality repository view groups findings by rule so you can prioritize fixes, while reliability and maintainability scores summarize their severity to help you target improvements.

How to try it

1. If your organization has preview features enabled, go to Settings > Code quality in your repository and enable the feature.
2. Open a pull request in a supported language and review any inline findings and autofix suggestions.
3. If you don’t have access yet, ask an organization admin to enable the preview flag for your organization. See more in our documentation on enabling Code Quality.

Coming soon

• Organization-level dashboards and enablement to manage code quality at scale.
• Test coverage metrics to provide actionable quality data.
• APIs to programmatically fetch code quality data or enable it at scale.
• Copilot-powered quality recommendations for pull requests to supplement static analysis findings.

Availability and pricing

GitHub Code Quality is available today for GitHub Enterprise Cloud and Team, but not available on Enterprise Server. It's free during the preview period, however scans will incur Actions minutes.

Learn more

Check out our GitHub Code Quality documentation

🌟Leave a comment!

Join the discussion and leave feedback in the comments below!

Disclaimer: The UI for features in public preview is subject to change.

[stasostrovskyi]

This is an amazing feature! Especially great to see a blend of AI scan and CodeQL. I have couple of questions:

• Is it the same logic under the hood that is used for new copilot review and this feature?
• Is it possible (or is it considered on the roadmap) to customize codeql workflow used by code quality? Our use case would require running on self-hosted agents (which is already available) and have access to the dependency cache so that workflow wouldn't spend a lot of time on downloading dependencies but rather go straight to the analysis?

[carogalvin]

👋🏻 Hi @stasostrovskyi , I'm the PM in charge of this feature at GitHub!

• Yes, it is the same logic under the hood as with Copilot code review
• I'm curious to learn more about what you need customized for the workflow; do you do this with the security code scanning / codeQL action today?

[stasostrovskyi]

Hi @carogalvin! Thank you for quick response!

I will try to summarize multiple different aspects on how we work at our organization:

• We use self-hosted runners (ARC) on GCP with a lot of GCP services nearby, most relevant Artifact Registry to store our own dependencies.
• Artifact Registry is not the fastest out there, especially for Java, so caching plays a pivotal role in all our workflows. We even have our own caching action with gcp buckets and slightly relaxed rules compare to github one.
• On top of all this, we also have way more repositories than people, so we standardize our CI/CD workflows heavily. We have central repository with shared workflows for all standard cases and then we create new repositories from templates that already have built-in workflows that only call shared ones, possibly with some inputs.
• We also love required workflows as a way of adding workflows to PRs based on custom properties without changing repos all the time. This allows us to "group" repos and rollout new github features gradually.
• When we first introduced CodeQL, especially for Java, it took around 4-5 minutes on PRs, which was considered too long, because many of our builds (thanks for caching as well) are usually below 3 minutes.
• We have also tried to rollout CodeQL carefully, so turning on/off rulesets or even separate rules has proven to be very useful.

All in all, I feel that having codeql.yml similar to copilot-setup-steps.yml would be amazing to have for enterprise customization (and possibly for adding more tools that can feed to advanced security through sarif). Even though right now it's possible to choose ARC to run code quality it fails every time on ARC agents because there is no java/node there, which is usually installed through custom workflows.

[carogalvin]

@stasostrovskyi thank you for your response!

[marwin1991]

Also, we just turned on GitHub Code Quality for our open source organisation!

Check it out here: github.com/logchange

Thanks to the GitHub team for creating this feature — it’s already making our reviews smoother! 🚀

[eai04191]

In my repository, I encountered an error and was unable to enable the Code quality feature while the "Require actions to be pinned to a full-length commit SHA" setting was enabled in Actions permissions.

As soon as I disabled this full-length SHA requirement, I was able to enable the feature immediately.

Are these two compatible?

[garrettld]

I ran into this same problem. Even if actions/* and github/codeql-action/* are allowed, this error still appears until you uncheck the "Require actions to be pinned to a full-length commit SHA"

Unchecking the checkbox allows you to enable Code Quality on a repo, and once that's done code quality scans appear to work fine even once you re-check the checkbox.

[carogalvin]

👋 Hey, I'm the PM who owns this feature at GitHub!

We are working right now on being able to enable this feature even with those particular actions policies; this should be available by the end of November.

[sstrullmyer]

Great to see this come to public preview!

Do you anticipate enabling additional quality checkers to provide results to GitHub Code Quality, similar to how GHAS supports uploading SARIF files from tools which are capable of exporting data in that format?

For example, our developers already use popular tools for their respective ecosystems (e.g., ruff for Python) locally and in their pipelines, and being able to understand these code quality findings at scale through GitHub Code Quality would be incredibly helpful

[carogalvin]

@sstrullmyer thanks for your feedback! We don't have 3rd party extensibility on our roadmap at the moment, but I've made note of your feedback.

[mbenson-smartx]

This is great and looks like its finding some real issues. It really needs to run on PR and allow the repo to gate based on level (i.e. Warning Error)

[sstrullmyer]

Is this what you have in mind: https://docs.github.com/en/code-security/code-quality/how-tos/set-pr-thresholds#adding-or-updating-a-ruleset-to-include-code-quality

[mbenson-smartx]

Maybe. I am trying to prevent code getting into main but the code quality appears to only run on main. I want the developer to know as early in the cycle as possible that they need to repair it. I see that a code quality check ran on a PR but I don't see any results.

[carogalvin]

Thanks for the feedback! Yes, right now code quality will only run on the default branch and on PRs to the default branch. We're looking to expand branch coverage in the future!

[mbenson-smartx]

Thanks for the feedback! Yes, right now code quality will only run on the default branch and on PRs to the default branch. We're looking to expand branch coverage in the future!

Thanks for the update! Loving it so far.

[ica-ft]

Is there some way to get the Code Quality info via the Github API's?

[carogalvin]

👋 Hi @ica-ft , I'm the PM who worked on this feature! We do not have APIs available yet but will be working on those soon; what sort of information will you want to pull from the APIs?

[ica-ft]

Hey @carogalvin, and thanks for getting back so quickly.

Thinking from a platform perspective, maybe one endpoint for a list of issues found, and an endpoint that gives the total nr of issues. Both endpoints filterable on Severity, Category and language. It would also be nice if the API's could carry a link to the filtered list on Github so you can jump over to more actions on GH.

[carogalvin]

@ica-ft thanks for your feedback!

[zeenix]

Java, C#, Python, JavaScript, Go, and Ruby.

Did you forget to mention Rust or is that somehow not supported despite being the most loved language for several years in a row (according to stackoverflow)? 🤔

[carogalvin]

Hi @zeenix , we don't currently support Rust but are hoping to in the future.

[HoangHades]

I tried to set code quality thresholds for pull requests
However, the merging is blocked with the message Code quality results are pending even if CodeQL passed

[HoangHades]

@cannist
We still got the trouble....

[cannist]

Hmm, ok. And this persists and does not resolve itself a bit later, @HoangHades? Even if you reload the page? After the workflow has finished we still need to process the uploaded results which could add a bit of delay but should not take too long.
Would you be comfortable sharing a link to the PR? We might have to dig a bit into the logs to find out what is happening here.

[HoangHades]

@cannist

You can investigate in [this PR]

[cannist]

Thank you, @HoangHades. I was able to figure out what is happening here. The PR you linked is not a PR against your default branch (even though the branch name sounds like it would be the default branch). Right now code quality will only run on the default branch and on PRs to the default branch. So when configuring the ruleset you should not configure it to cover any branch other than the default one since the rule will always block in these cases.

As @carogalvin wrote above we're looking to expand branch coverage in the future.

[HoangHades]

@cannist
Thanks for the explanation, that makes sense now
I’ll update the ruleset only to target the default branch
Looking forward to the expanded branch coverage in a future release! 🙌

[jsoref]

It needs to be easy to tell Code Quality to ignore specific files (especially minified files).

https://github.com/check-spelling-sandbox/adk-python/security/quality

src/google/adk/cli/browser/main-MIUNGJ3Y.js (295)

[carogalvin]

Thank you for this feedback!

[jsoref]

Preview unavailable sometimes appears for minified files (but confusingly not always).

Consider:

https://github.com/check-spelling-sandbox/adk-python/security/quality/rules/js%2Funreachable-statement

Compare:

https://github.com/check-spelling-sandbox/adk-python/security/quality/rules/js%2Fuseless-expression

[jf205]

Thanks for the report @jsoref. We will look into this!

[alijrizvi]

This has the potential to be so useful! Reviewing your work and getting valuable feedback is so crucial, and this will be another way for organizations to do so; even individuals can improve their work from such feedback. Good stuff!

[grahame-student]

I found this dashboard really helpful, a couple of potential features I'd love to see

• Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary
• Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

[jf205]

Thanks for the feedback!

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary

Please can you explain in a little more detail what you mean by this please? Clicking a specific rule takes you to a view of all the places in the code where the findings are located. How can we improve that view to make it more useful for you?

Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

Totally agree. We have plans to improve the way we display these metrics! 👍🏻

[grahame-student]

Thanks for the feedback!

Being able to navigate to the specific areas of the files / code highlighted in the rule breakdown below the summary

Please can you explain in a little more detail what you mean by this please? Clicking a specific rule takes you to a view of all the places in the code where the findings are located. How can we improve that view to make it more useful for you?

When the collapsible rules were expanded, I'd expected to be able to use the individual entries to be able to navigate to those specific lines of code. I missed that the text of the collapsible rule itself could be clicked to see all of the instances!

Being able to see changes to the code quality over time. It can be demoralising seeing a constant list of issues, however seeing a line tracking down towards zero can be a huge motivator.

Totally agree. We have plans to improve the way we display these metrics! 👍🏻

Awesome, I look forward to seeing this feature improve further!

[grahame-student]

I see that CodeQL already supports C / C++, are there any plans to extend this feature to officially support them too?

[carogalvin]

Yes, expansion to C/C++ is something we'd like to get to in the future, but we do not currently have a target date for this.

[UbiquitousBear]

Hey @carogalvin - congrats on the public preview release! I’m using it in a few personal projects, and love it!

Do you see this becoming available in GHES in a future release?

[sj]

Hi! Thanks for your question! Let me jump in here while Caro is enjoying some well-deserved time off. The new Code Quality product has AI detections (+ CodeQL) and AI remediations at its very core. At the moment, we can't offer those on GHES.

However, we're keeping a close eye on customer feedback on this front (like yours!) to help us decide whether we need to change this direction going forward. If we do, we'll make sure to announce it here and on the GitHub public roadmap.

[ahmedsza]

@carogalvin
Is Code quality available for public repos? The docs seem to indicate it is but I do not see the option in settings
the docs at https://docs.github.com/en/code-security/code-quality/how-tos/enable-code-quality say - GitHub Code Quality is available for:
Public repositories on GitHub.com. When i look at settings i do not see code quality.

is there something else I need to do?

I checked a few repos and not available in any.

[charisk]

Apologies @ahmedsza, this looks like to be a mistake in our docs. The feature is not yet available to public repos that are not part of an organization. We'll fix the docs as soon as possible.

[ahmedsza]

Thank @charisk . Any timelines on if/when it will be available

[charisk]

Nothing we can share at the moment unfortunately.

[ahmedsza]

thank you for the speedy responses @charisk

[jsoref]

Fwiw, there are quite a few features that are available to organizations and not user repositories. As a non GitHub employee, I strongly encourage everyone to favor doing their work in organizations instead of in their personal account. You can create organizations for free, so you could just create one named {user}-org.

One feature that's quite valuable is being able to view hosted runners:
https://github.com/organizations/{org}/settings/actions/hosted-runners
-- your user account has a limit, but you can't see which repositories are burning through it w/o opening each repository in your user (as someone w/ >3000, that's really infeasible), but w/ an org, that isn't a problem since there's a view for it.

[PPT-DGREEN-GH]

Question about the billing model - I don't want to enable the preview for my org if I don't understand the billing model for later:

What are "premium requests?" Are those Copilot Premium Requests? If so:

• Does this only occur when a PR is opened, and does that request count against the person who opens the PR?
• What happens if the PR submitter isn't licensed for Copilot?
• What about with scans against the default branch (https://docs.github.com/en/code-security/code-quality/get-started/quickstart#review-scan-results-for-your-default-branch)?

[sj]

Indeed, these are Copilot premium requests. Every scan (both PRs and default branch) will count towards and organisation's premium requests. By the time GitHub Code Quality will go GA, premium requests will no longer require a Copilot license.

We're currently evaluating others details of the billing model, like the premium request multiplier.

Hope this helps!

[PPT-DGREEN-GH]

So, the org will pay for each scan because of premium requests, on top of any individual Copilot licenses we're currently paying per seat?

[carogalvin]

Hi @PPT-DGREEN-GH , we can't comment right now on the specifics on how the premium request model will be changing. Keep an eye on our changelog for announcements of any upcoming changes to billing.

[PPT-DGREEN-GH]

@carogalvin OK. I don't feel comfortable trying this out until there is more pricing transparency.

[michaelwolz]

First of all the feature is looking great :).

Is it possible to exclude certain paths from code scanning/review? The use case is that we have some auto-generated code that I would like to exclude.

[jsoref]

• Not yet: https://github.com/orgs/community/discussions/177488#discussioncomment-14881855

[hunterjm]

It would be great to be able to bulk dismiss or disable a specific ruleset for a language. The Python code quality ruleset does not take into account Airflow DAGs apparently, as they are being improperly marked as Statement has no effect

[jf205]

@hunterjm thanks for the feedback. We are planning to make improvements to this page and we'll definitely consider more/smoother dismissal options 👍🏻

[Inscure]

Thank you for this amazing feature!
Are there any plans to add PHP to the list of supported languages? If so, is there an estimated timeline?

[coadaflorin]

Hey @Inscure! Thank you for reaching out! We do not have any plans that I can share about PHP. It's a language we do hear about and other have asked about in the context of CodeQL, which is a core part of our code quality offering.

As an intermediate step, you can enable Copilot Code Review, which covers PHP today and use custom instructions to customise your analysis.

[jf205]

@Inscure we do have some support for PHP today in our AI findings, which help flag potential code quality improvements in your most recently-changed files. Here are the docs to help you get started https://docs.github.com/en/code-security/code-quality/tutorials/improve-recent-merges

[orenk9]

Hi,

Overall, I really like this new Code Quality feature - it has already caught several important issues in my code and is proving very valuable.

I’d like to suggest a few improvements to the new feature.

1. Pull Request comments

a. It would be very helpful to have the ability to dismiss Code Quality comments via the GitHub CLI, not only through the web UI.
b. I also recommend adding an additional dismissal option (alongside “False positive,” “Used in tests,” and “Won’t fix”):

“Accepted - fixed or will be fixed in another branch (following proper Git flow).”
This would allow acknowledging valid findings that are being addressed elsewhere.

2. Accessing Code Quality results via CLI

I need a way to retrieve all Code Quality findings via the GitHub CLI. This would allow me to process the output programmatically in my AI-powered IDE workflows.
Right now, I must manually open each finding’s web page, save it as an MD file, and feed it into my AI IDE (Cursor), which is inefficient.

Regards,
Oren

[AlonaHlobina]

Thank you for the feedback, @orenk9! We will look into this!

[beingminimal]

@carogalvin Please answer this questions for better clarity.

1. Pricing and Usage Model:
   What is the exact pricing model for this feature? Specifically, will usage be charged as a premium request per Pull Request (PR) or per new commit added to a PR?

2. Subscription Prerequisites:
   Will an organization require a separate GitHub Advanced Security (GHAS) subscription to utilize this feature, or is a standard GitHub Copilot subscription (e.g., Copilot for Business/Enterprise) sufficient on its own?

3. Billing Source (for PR Ruleset Enforcement):
   If the feature is enforced using a PR ruleset, where is the usage charge applied and drawn from: the PR ruleset billing, individual owner Copilot subscriptions, or the organization's Copilot subscription?

Awaiting your response. Thanks

[carogalvin]

Hi @beingminimal , we are not currently able to share the exact pricing model, so I cannot answer all your questions at this time (specifically 1 or 3).

For your second question: you will not require a GHAS or Copilot subscription to use this product, it is standalone and will be able to be used by itself.

[mcliment]

A very interesting feature, indeed!

Unfortunately for us, it takes about 50 minutes for each PR on C# code, which is not an option at this moment. Will there be the possibility to enable only scheduled/on demand runs instead of on every PR + scheduled like now?

Also, it seems that the requirement to have GitHub Advanced Security (GHAS) for private repositories is not enforced anymore. Can the underlying action https://github.com/github/codeql-action be used independently in our workflows or it still requires GHAS for private repositories?

That's what the license says:

The underlying CodeQL CLI, used in this action, is licensed under the GitHub CodeQL Terms and Conditions. As such, this action may be used on open source projects hosted on GitHub, and on private repositories that are owned by an organisation with GitHub Advanced Security enabled.

cc @ebndev

[carogalvin]

@mcliment the license still stands for using the underlying CodeQL action; you need GHAS to run it independently in private repos. But you can use the Code Quality product without using GHAS.

We're hoping to add customization of frequency of scans in the future but do not currently have a target date for this feature.

[IchordeDionysos]

❓ Code Quality suggested that a Slack link is incorrect

Due to the link being from a future timestamp 💀
What can I say, the link is correct and working 🙄, so how can I discard this suggestion?

[IchordeDionysos]

And yeah it's a date in 2025, but we have 2025!! 😅

[jf205]

@IchordeDionysos thanks for reporting this. I agree that it's not a good suggestion. Our team is looking at it and will figure out how to prevent this kind of thing being suggested in the future.

[coliff]

Great feature and the 'ai-findings' has found some otherwise hard to spot issues, however there are a lot of false positives. I know this is a beat/preview and I don't mind much, but it'd be good to be able to dismiss or report a finding as 'not helpful'/'false positive'.

e.g. one I saw yesterday, in my README I had:

• Improved startup performance for iOS builds running on iOS 26

CoPilot AI Findings suggested I change to iOS 16 and said:

iOS 26 does not exist. The highest iOS version as of early 2025 is iOS 18. This should likely be iOS 16 or another valid iOS version number.

[jacques-bernier]

Still can't overlay test coverage. 😏

[carogalvin]

Nope, but we're working on it! :)

[rmuir]

Wanted to test on our GHE, but doesn't worked with forked pull requests...

[rstarks-aura]

The new dismiss function is very cumbersome especially when it has multiple false positives. You have no click the dismiss button which opens a modal to select a reason and when you close the modal it scrolls back to the top of the PR review which causes you to lose your place with in the review.

We are running into this issue multiple times when it catches a potential null reference issue even though it may have been checked at a higher level in the sequence of events/methods or even if its marked required at a model level but is leveraging nullability for other technical reasons.

[AlonaHlobina]

Thank you for the feedback, @rstarks-aura. We will look into it.
May you clarify what you mean by saying:

We are running into this issue multiple times when it catches a potential null reference issue even though it may have been checked at a higher level in the sequence of events/methods or even if its marked required at a model level but is leveraging nullability for other technical reasons.

May you provide an example? Thanks

[lancefrench]

Our initial Code Quality testing with java revealed some missing checks that we would expect from static analysis. For example try-with-resources wasn't found in a sample PR we opened.

The integration between CodeQL custom queries and the Code Quality product is a bit murky. It seems like there are resource leak rules in the CodeQL repo, so we're a bit confused why we didn't get a hit.

[jsoref]

My presumption is that this feature is limited to the core codeql bits and not custom queries, after all, the feature should enable a user to compare differing repositories using a benchmark (the code quality reports).

[carogalvin]

The CodeQL repo is a collection of all the queries that have been written/merged, but the suites that we include in the product are just a curated subset. We do not currently support custom queries/suites/packs in the code quality product, but this is something we may explore in the future.

We regularly review and adjust our queries to ensure they have high coverage without being overly noisy; thank you for your feedback and we'll take this into consideration for our next update!