Microsoft and GitHub Preview New Tool That Identifies, Prioritizes, and Fixes Vulnerabilities With AI

"Security, development, and AI now move as one," says Microsoft's director of cloud/AI securityproduct marketing. Microsoft and GitHub "have launched a native integration between Microsoft Defender for Cloud and GitHub Advanced Security that aims to address what one executive calls decades of accumulated security debt in enterprise codebases..." according to The New Stack:The integration, announced this week in San Francisco at theMicrosoftIgnite 2025 conference and now available in public preview,connects runtime intelligence from production environments directlyinto developer workflows. The goal is to help organizationsprioritize which vulnerabilities actually matter and use AI to fixthem faster. "Throughout my career, I've seen vulnerabilitytrends going up into the right. It didn't matter how good of adetectionengine and how accurate our detection engine was, people justcouldn't fix things fast enough," said MarceloOliveira, VP of product management at GitHub, who has spentnearly a decade in application security. "That basically resultedin decades of accumulation of security debt into enterprise codebases." According to industry data, critical and high-severityvulnerabilities constitute 17.4% of security backlogs, with a meantime to remediation of 116 days, said AndrewFlick, senior director of developer services, languages and toolsat Microsoft, in a blogpost. Meanwhile, applications face attacks as frequently as onceevery three minutes, Oliveira said. The integration represents the first native link between runtimeintelligence and developer workflows, said ElifAlgedik, director of product marketing for cloud and AI securityat Microsoft, in a blogpost... The problem, according to Flick, comes down to threechallenges: security teams drowning in alert fatigue while AI rapidlyintroduces new threatvectors that they have little time to understand; developerslacking clear prioritization while remediation takes too long; andboth teams relying on separate, nonintegrated tools that makecollaboration slow and frustrating... The new integration worksbidirectionally. When Defender for Cloud detects a vulnerability in arunning workload, that runtime context flows into GitHub, showingdevelopers whether the vulnerability is internet-facing, handlingsensitive data or actually exposed in production. This is powered bywhat GitHub calls the Virtual Registry, which creates code-to-runtimemapping, Flick said... In the past, this alert would age in a dashboard while developersworked on unrelated fixes because they didn't know this was thecritical one, he said. Now, a security campaign can be created inGitHub, filtering for runtime risk like internet exposure orsensitive data, notifying the developer to prioritize this issue. GitHub Copilot "now automatically checks dependencies, scansfor first-party code vulnerabilities and catches hardcoded secretsbefore code reaches developers," the article points out - butGitHub's VP of product management says this takes things evenfurther. "We're not only helping you fix existing vulnerabilities,we're also reducing the number of vulnerabilities that come intothe system when the level of throughput of new code being created isincreasing dramatically with all these agentic coding agent platforms."

Read more of this story at Slashdot.