{"meta":{"title":"Code security risk assessment","intro":"Generate a free code security risk assessment to understand your organization's exposure to vulnerabilities.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/concepts","title":"Concepts"},{"href":"/en/code-security/concepts/code-scanning","title":"Code scanning"},{"href":"/en/code-security/concepts/code-scanning/code-security-risk-assessment","title":"Code security risk assessment"}],"documentType":"article"},"body":"# Code security risk assessment\n\nGenerate a free code security risk assessment to understand your organization's exposure to vulnerabilities.\n\nThe code security risk assessment is a free, self-serve scan that helps you understand your organization's exposure to code vulnerabilities. The assessment scans up to 20 of your organization's repositories and produces a report showing the vulnerabilities found, their severity, and how many can be fixed with Copilot Autofix.\n\nThe assessment is completely free. You won't be charged for any GitHub Code Security licenses, and the GitHub Actions minutes used during the scan are provided at no cost.\n\n## Who can run the assessment\n\n**Organization owners** and **security managers** can run the code security risk assessment for organizations on GitHub Team or GitHub Enterprise Cloud plans.\n\n## What the assessment scans\n\nBy default, the assessment pre-selects up to 20 of your organization's private and internal repositories based on commit activity in the last 90 days. You can change this selection before running the scan. Only repositories containing at least one language supported by code scanning can be selected.\n\nScans have a one-hour timeout. If all languages in a repository fail to scan, that repository is counted as failed. If at least one language scans successfully, the repository's results are included in the report.\n\nYou can rerun the assessment every 90 days. For each rerun, you can change which repositories are scanned.\n\n## Relationship to the secret risk assessment\n\nGitHub offers two free security risk assessments for organizations: the code security risk assessment and the secret risk assessment. The two assessments run independently and their results are displayed in separate tabs in the Assessments view. Each assessment can be rerun every 90 days.\n\nFor more information about the secret risk assessment, see [About secret security with GitHub](/en/code-security/concepts/secret-security/about-secret-security-with-github#secret-risk-assessment).\n\n## Next steps\n\nTo generate a code security risk assessment for your organization, see [Running the code security risk assessment for your organization](/en/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-vulnerability-risk)."}