// Trust & Security Report

    GitHub, Inc. (Microsoft subsidiary) logo

    GitHub, Inc. (Microsoft subsidiary)

    CodeQL is a semantic code analysis engine that enables security researchers and developers to discover vulnerabilities across codebases. It powers GitHub Advanced Security's code scanning and is available as a free tool for research and open source, or as a paid feature for enterprises.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    GitHub maintains up-to-date, official SOC 1 Type 2 and SOC 2 Type 2 compliance reports available through organization settings for eligible organizations.

    Verify on docs.github.com
    ISO/IEC 27001:2022
    HELD

    GitHub holds ISO/IEC 27001:2022 certification, which demonstrates its commitment to information security management standards.

    Verify on github.com
    CSA CAIQ (Cloud Security Alliance CAIQ)
    HELD

    GitHub provides Cloud Security Alliance CAIQ self-assessment (CSA CAIQ - Level 1) compliance reports accessible through organization settings.

    Verify on docs.github.com
    CSA STAR Level 2
    HELD

    GitHub holds Cloud Security Alliance STAR certification (CSA STAR - Level 2).

    Verify on docs.github.com
    PCI DSS
    HELD

    GitHub maintains PCI DSS Attestation of Compliance as part of its security certifications portfolio.

    Verify on docs.github.com
    GDPR
    HELD

    GitHub's privacy statement (effective April 27, 2026) establishes data processing, user rights, and retention policies compliant with GDPR. GitHub commits to responding to data access/deletion requests within 45 days.

    Verify on docs.github.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of GitHub-provided Business Associate Agreement (BAA) or HIPAA compliance program for CodeQL or GitHub services. Search results show community HIPAA templates but no official GitHub BAA.

    source: github.com
    FedRAMP
    NOT CONFIRMED

    No evidence of FedRAMP certification in GitHub's public compliance documentation. GitHub maintains SOC 2, ISO 27001, CSA CAIQ, CSA STAR, and PCI DSS, but FedRAMP is not listed.

    source: github.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001:2023 certification for AI systems governance.

    source: github.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    GitHub operates data centers with processing in multiple regions. Private repositories are generally stored in the user's selected region.

    GitHub's Terms of Service (as of 2026) explicitly state that GitHub may use inputs and outputs to train AI models. This applies to content in public repositories. Users can opt out via account settings. Private repositories are protected from general AI training but may be accessed for security, support, legal compliance, or malware detection.

    // Security controls

    Encryption in transit

    GitHub uses TLS/HTTPS for all connections; stated as 'secure with ISO, SOC 2, and GDPR'

    github.com

    Data Retention

    GitHub retains personal data as long as accounts remain active and for legal compliance purposes.

    docs.github.com

    Security Incident Response

    GitHub maintains a Security Incident Response Team (SIRT) per RFC 2350 standard.

    github.com

    Bug Bounty Program

    GitHub operates a bug bounty program with legal safe harbor for authorized security researchers.

    github.com

    Subprocessors

    GitHub maintains a public list of subprocessors. Includes affiliates (Microsoft), service providers, and law enforcement when legally required.

    docs.github.com

    // Products & data scope

    CodeQL (Free/Community)Code Analysis & Vulnerability Detection

    data: Open source codebases and academic research only

    Free for research and open source. Requires OSI-approved license or academic use. Downloadable via CLI. User must agree to GitHub CodeQL Terms & Conditions.

    CodeQL (GitHub Advanced Security)Code Analysis & Vulnerability Detection

    data: Any codebase under paid license

    Part of GitHub Advanced Security for enterprise customers. Includes code scanning in CI/CD, no restrictions on codebase type.

    CodeQL (VS Code Extension)Developer Tools

    data: Local codebase analysis

    IDE integration for querying CodeQL databases. Free for open source; paid license required for commercial use on private code.

    // What to watch

    • CodeQL does not hold separate certifications; it inherits GitHub's certifications as a GitHub product. This is appropriate and not a deficiency.
    • AI training on public repo content is enabled by default. Users must explicitly opt out via GitHub account settings. Private repositories are protected.
    • HIPAA compliance: GitHub does not appear to offer a BAA for HIPAA compliance. Organizations handling PHI should not use CodeQL without explicit legal review.
    • FedRAMP: Not certified. Federal agencies should verify GitHub/CodeQL compliance with FedRAMP or equivalent before deployment.
    • Licensing: Free CodeQL usage is strictly limited to open source and research. Commercial use on closed-source code requires GitHub Advanced Security subscription.

    // At a glance

    Pricing model

    Freemium: Free for open source and research; subscription-based for enterprise (part of GitHub Advanced Security pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on GitHub, Inc. (Microsoft subsidiary)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    github.com

    > Browse all vendor trust reports