Microsoft and GitHub have launched a new AI-powered tool that integrates security and development workflows to help organizations address long-standing security debt in their codebases. The tool, available in public preview, links Microsoft Defender for Cloud with GitHub Advanced Security, allowing runtime intelligence from production environments to inform developer workflows. This integration enables teams to prioritize critical vulnerabilities and use AI to expedite remediation processes. The collaboration was announced at the Microsoft Ignite 2025 conference in San Francisco.
According to Microsoft’s Andrew Flick, the tool aims to tackle the growing problem of security debt, which has seen critical and high-severity vulnerabilities make up 17.4% of security backlogs. The mean time to remediation for these vulnerabilities is currently 116 days. Marcelo Oliveira, VP of product management at GitHub, highlighted the importance of this integration, noting that the previous approach to vulnerability management resulted in a buildup of security debt over decades. The new tool is designed to address this by providing real-time alerts and prioritization based on runtime risk factors such as internet exposure and handling of sensitive data.
The integration works bidirectionally, allowing security teams to create targeted campaigns within GitHub that filter for specific runtime risks. This ensures developers are notified of critical issues and can prioritize their fixes accordingly. GitHub Copilot is also being utilized to automatically check dependencies, scan for first-party code vulnerabilities, and identify hardcoded secrets before code reaches developers. This marks a significant advancement in the field of application security, as noted by GitHub’s VP of product management, who emphasized the tool’s ability to both fix existing vulnerabilities and reduce the number of new ones introduced by the rapid development pace driven by agentic coding platforms.