// Trust & Security Report
GitHub, Inc. (Microsoft subsidiary)
CodeQL is a semantic code analysis engine that enables security researchers and developers to discover vulnerabilities across codebases. It powers GitHub Advanced Security's code scanning and is available as a free tool for research and open source, or as a paid feature for enterprises.
Certifications held
6
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.github.com“GitHub maintains up-to-date, official SOC 1 Type 2 and SOC 2 Type 2 compliance reports available through organization settings for eligible organizations.”
Verify on github.com“GitHub holds ISO/IEC 27001:2022 certification, which demonstrates its commitment to information security management standards.”
Verify on docs.github.com“GitHub provides Cloud Security Alliance CAIQ self-assessment (CSA CAIQ - Level 1) compliance reports accessible through organization settings.”
Verify on docs.github.com“GitHub holds Cloud Security Alliance STAR certification (CSA STAR - Level 2).”
Verify on docs.github.com“GitHub maintains PCI DSS Attestation of Compliance as part of its security certifications portfolio.”
Verify on docs.github.com“GitHub's privacy statement (effective April 27, 2026) establishes data processing, user rights, and retention policies compliant with GDPR. GitHub commits to responding to data access/deletion requests within 45 days.”
> Show 3 unconfirmed / not-held certifications
source: github.comNo public evidence of GitHub-provided Business Associate Agreement (BAA) or HIPAA compliance program for CodeQL or GitHub services. Search results show community HIPAA templates but no official GitHub BAA.
source: github.comNo evidence of FedRAMP certification in GitHub's public compliance documentation. GitHub maintains SOC 2, ISO 27001, CSA CAIQ, CSA STAR, and PCI DSS, but FedRAMP is not listed.
source: github.comNo public evidence of ISO/IEC 42001:2023 certification for AI systems governance.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
GitHub operates data centers with processing in multiple regions. Private repositories are generally stored in the user's selected region.
GitHub's Terms of Service (as of 2026) explicitly state that GitHub may use inputs and outputs to train AI models. This applies to content in public repositories. Users can opt out via account settings. Private repositories are protected from general AI training but may be accessed for security, support, legal compliance, or malware detection.
// Security controls
Encryption in transit
GitHub uses TLS/HTTPS for all connections; stated as 'secure with ISO, SOC 2, and GDPR'
github.comData Retention
GitHub retains personal data as long as accounts remain active and for legal compliance purposes.
docs.github.comSecurity Incident Response
GitHub maintains a Security Incident Response Team (SIRT) per RFC 2350 standard.
github.comBug Bounty Program
GitHub operates a bug bounty program with legal safe harbor for authorized security researchers.
github.comSubprocessors
GitHub maintains a public list of subprocessors. Includes affiliates (Microsoft), service providers, and law enforcement when legally required.
docs.github.com// Products & data scope
data: Open source codebases and academic research only
Free for research and open source. Requires OSI-approved license or academic use. Downloadable via CLI. User must agree to GitHub CodeQL Terms & Conditions.
data: Any codebase under paid license
Part of GitHub Advanced Security for enterprise customers. Includes code scanning in CI/CD, no restrictions on codebase type.
data: Local codebase analysis
IDE integration for querying CodeQL databases. Free for open source; paid license required for commercial use on private code.
// What to watch
- CodeQL does not hold separate certifications; it inherits GitHub's certifications as a GitHub product. This is appropriate and not a deficiency.
- AI training on public repo content is enabled by default. Users must explicitly opt out via GitHub account settings. Private repositories are protected.
- HIPAA compliance: GitHub does not appear to offer a BAA for HIPAA compliance. Organizations handling PHI should not use CodeQL without explicit legal review.
- FedRAMP: Not certified. Federal agencies should verify GitHub/CodeQL compliance with FedRAMP or equivalent before deployment.
- Licensing: Free CodeQL usage is strictly limited to open source and research. Commercial use on closed-source code requires GitHub Advanced Security subscription.
// At a glance
Pricing model
Freemium: Free for open source and research; subscription-based for enterprise (part of GitHub Advanced Security pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on GitHub, Inc. (Microsoft subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
github.com