Microsoft and GitHub Preview New Tool That Identifies, Prioritizes, and Fixes Vulnerabilities With AI

'Security, development, and AI now move as one,' says Microsoft's director of cloud/AI security
product marketing.

Microsoft and GitHub 'have launched a native integration between Microsoft Defender for Cloud and GitHub Advanced Security that aims to address what one executive calls decades of accumulated security debt in enterprise codebases...' according to The New Stack:

The integration, announced this week in San Francisco at the
Microsoft
Ignite 2025 conference and now available in public preview,
connects runtime intelligence from production environments directly
into developer workflows. The goal is to help organizations
prioritize which vulnerabilities actually matter and use AI to fix
them faster. 'Throughout my career, I've seen vulnerability
trends going up into the right. It didn't matter how good of a
detection
engine and how accurate our detection engine was, people just
couldn't fix things fast enough,' said Marcelo
Oliveira, VP of product management at GitHub, who has spent
nearly a decade in application security. 'That basically resulted
in decades of accumulation of security debt into enterprise code
bases.' According to industry data, critical and high-severity
vulnerabilities constitute 17.4% of security backlogs, with a mean
time to remediation of 116 days, said Andrew
Flick, senior director of developer services, languages and tools
at Microsoft, in a blog
post. Meanwhile, applications face attacks as frequently as once
every three minutes, Oliveira said.

The integration represents the first native link between runtime
intelligence and developer workflows, said Elif
Algedik, director of product marketing for cloud and AI security
at Microsoft, in a blog
post... The problem, according to Flick, comes down to three
challenges: security teams drowning in alert fatigue while AI rapidly
introduces new threat
vectors that they have little time to understand; developers
lacking clear prioritization while remediation takes too long; and
both teams relying on separate, nonintegrated tools that make
collaboration slow and frustrating... The new integration works
bidirectionally. When Defender for Cloud detects a vulnerability in a
running workload, that runtime context flows into GitHub, showing
developers whether the vulnerability is internet-facing, handling
sensitive data or actually exposed in production. This is powered by
what GitHub calls the Virtual Registry, which creates code-to-runtime
mapping, Flick said...

In the past, this alert would age in a dashboard while developers
worked on unrelated fixes because they didn't know this was the
critical one, he said. Now, a security campaign can be created in
GitHub, filtering for runtime risk like internet exposure or
sensitive data, notifying the developer to prioritize this issue.

GitHub Copilot "now automatically checks dependencies, scans
for first-party code vulnerabilities and catches hardcoded secrets
before code reaches developers," the article points out — but
GitHub's VP of product management says this takes things even
further.

'We're not only helping you fix existing vulnerabilities,
we're also reducing the number of vulnerabilities that come into
the system when the level of throughput of new code being created is
increasing dramatically with all these agentic coding agent platforms.'

Read more of this story at Slashdot.