GitHub-native SAST via CodeQL, accessible through the official GitHub MCP Server. Copilot Autofix generates fixes from CodeQL alerts. GitHub Security Lab Taskflow Agent found ~30 real CVEs. Zero extra setup for GitHub users.
Where it wins
Zero extra setup for GitHub users — CodeQL alerts flow through GitHub MCP Server
Copilot Autofix generates fixes from CodeQL alerts — end-to-end remediation
GitHub Security Lab Taskflow Agent found ~30 real CVEs — proven real-world impact
8K+ stars on CodeQL — large community and rule ecosystem
Enterprise-grade governance through GitHub Advanced Security
Where to be skeptical
Requires GitHub ecosystem — not useful for GitLab/Bitbucket shops
CodeQL analysis can be slow on large codebases
Advanced Security features require GitHub Enterprise or public repo
Editorial verdict
#3 SAST. Best for GitHub-native shops — zero extra setup via the official GitHub MCP Server. Copilot Autofix auto-generates fixes from CodeQL alerts. GitHub Security Lab Taskflow Agent found ~30 real CVEs. If you're all-in on GitHub, this jumps to #1.
Related
Coding CLIs / Code Agents
Related but not ranked
Security
GitHub-native shops — zero-config SAST + Copilot Autofix for end-to-end remediation
Claude Code
98Anthropic's official agentic coding CLI. v2.1.81 (Mar 20) shipped `--bare`, smarter worktree resume, and improved MCP OAuth while the repo crossed 82,204 stars and logged ~14 commits/week across 10+ maintainers. Terminal-native, tool-use-driven, with deep file system + shell access, #1 SWE-bench Pro standardized (45.89%), ~4% of GitHub public commits (SemiAnalysis), $2.5B annualized revenue. 8M+ npm weekly downloads. Opus 4.6 with 1M context.
OpenHands
88Category leader in multi-agent orchestration — 69,352 stars (verified), $18.8M Series A, AMD hardware partnership, 455 contributors, 1M downloads/month PyPI (3.4M all-time). SWE-Bench Verified 72% with Claude 4.5 Extended Thinking (updated 2026-03-19), Multi-SWE-Bench #1 across 8 languages. Gap to #2 is enormous on every axis.
OpenCode
88Open-source AI coding agent from SST. v1.2.27 active (2026-03-16) — development resumed after a gap. OpenAI official partnership following the Anthropic OAuth block controversy. 126K+ GitHub stars (star surge driven by Anthropic controversy). Known unauthenticated RCE fixed in v1.1.10+ (CVE, 432 HN pts). CVE-2026-22812 (CVSS 8.8-10.0) is a second serious security incident.
Gemini CLI
88Google's open-source terminal agent with Gemini 3 models, 1M token context, built-in Google Search grounding, and the best free tier in the category (60 req/min, 1K req/day). v0.35.0 (Mar 24) shipped keybinding, policy, and telemetry fixes while the repo hit 98,957 stars and 12,593 forks. Terminal-Bench 2.0: 78.4% (#1). SWE-bench Pro standardized 43.30% (#3). Plan Mode added March 2026. First-pass correctness ~50-60% (Educative.io).
Public evidence
GitHub's own Security Lab Taskflow Agent used CodeQL to discover ~30 real CVEs. Proves CodeQL works for automated vulnerability discovery, not just scanning known patterns.
CodeQL + Copilot Autofix is the only SAST workflow that both detects AND auto-fixes vulnerabilities through a single vendor integration.
Raw GitHub source
Constrained peek so you can sanity-check the source material without leaving the site.
The GitHub MCP Server connects AI tools directly to GitHub's platform. This gives AI agents, assistants, and chatbots the ability to read repositories and code files, manage issues and PRs, analyze code, and automate workflows. All through natural language interactions.
Built for developers who want to connect their AI tools to GitHub context and capabilities, from simple natural language queries to complex multi-step agent workflows.
The remote GitHub MCP Server is hosted by GitHub and provides the easiest method for getting up and running. If your MCP host does not support remote MCP servers, don't worry! You can use the local version of the GitHub MCP Server instead.
For quick installation, use one of the one-click install buttons above. Once you complete that flow, toggle Agent mode (located by the Copilot Chat text input) and the server will start. Make sure you're using VS Code 1.101 or later for remote MCP and OAuth support.
Alternatively, to manually configure VS Code, choose the appropriate JSON block from the examples below and add it to your host configuration:
<table> <tr><th>Using OAuth</th><th>Using a GitHub PAT</th></tr> <tr><th align=left colspan=2>VS Code (version 1.101 or greater)</th></tr> <tr valign=top> <td>{
"servers": {
"github": {
"type": "http",
"url": "https://api.githubcopilot.com/mcp/"
}
}
}
{
"servers": {
"github": {
"type": "http",
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"Authorization": "Bearer ${input:github_mcp_pat}"
}
}
},
"inputs": [
{
"type": "promptString",
"id": "github_mcp_pat",
"description": "GitHub Personal Access Token",
"password": true
}
]
}
Note: Each MCP host application needs to configure a GitHub App or OAuth App to support remote access via OAuth. Any host application that supports remote MCP servers should support the remote GitHub server with PAT authentication. Configuration details and support levels vary by host. Make sure to refer to the host application's documentation for more info.
See Remote Server Documentation for full details on remote server configuration, toolsets, headers, and advanced usage. This file provides comprehensive instructions and examples for connecting, customizing, and installing the remote GitHub MCP Server in VS Code and other MCP hosts.
When no toolsets are specified, default toolsets are used.
<table> <tr><th>Using URL Path</th><th>Using Header</th></tr> <tr valign=top> <td>Try new features early! The remote server offers an insiders version with early access to new features and experimental tools.
{
"servers": {
"github": {
"type": "http",
"url": "https://api.githubcopilot.com/mcp/insiders"
}
}
}
{
"servers": {
"github": {
"type": "http",
"url": "https://api.githubcopilot.com/mcp/",
"headers": {
"X-MCP-Insiders": "true"
}
}
}
}