Quality assurance · Production

General Motors consolidates 150,000 repositories and deploys GitHub Copilot to accelerate secure software delivery at scale

The problem

GM's developer ecosystem was fragmented across more than 40 tools, creating friction for developers, slowing the development process, and making it difficult to enforce consistent security policies across 150,000 repositories and nearly 20,000 developers.

First attempt

On-premises infrastructure imposed lengthy build queues with non-elastic shared runners that caused cross-team instability and build failures. The Log4j vulnerability exposed the risk of fragmented security tooling, and initial scans surfaced more than 22,000 exposed secrets and over 1.2 million potential vulnerabilities.

Workflow diagram · grounded in source
1
Fragmented toolchain identified
trigger
“Fragmented across more than 40 tools, this complex infrastructure created friction for developers and slowed the entire development process”
2
Migrate to GitHub Enterprise Cloud
integration
“the massive consolidation to GitHub Enterprise Cloud, unifying ~150,000 repositories and nearly 20,000 developers with zero production impact during migration”
3
Elastic runners via GitHub Actions
integration
“VNet-injected runners, a solution that provided full, elastic cloud scale while maintaining secure, firewalled access to GM's private network. This enabled teams to provision thousands of fresh, ephemeral runners on demand”
4
Automated security scanning
ai_action
“This workflow is powered by CodeQL and dependency scanning, which automatically flag vulnerabilities”
5
Copilot Autofix inline remediation
ai_action
“Copilot Autofix has significantly reduced our remediation time. It flags a vulnerability, suggests a fix inline, and developers can just click to accept”
6
Copilot-assisted developer coding
ai_action
“over 8,000 developers began using GitHub Copilot across more than 55 languages and in a wide variety of IDEs, including VS Code, Visual Studio, and the JetBrains suite”
7
Legacy code modernization
ai_action
“Using Copilot, developers reverse-engineered documentation for code written in older languages. Then, they leveraged it to convert this legacy code to modern languages. According to Parisi, this AI-assisted approach was a significant eff…”
8
Copilot Code Review for PRs
ai_action
“Copilot Code Review handles the PR reviews and summaries, allowing teams to focus on more complex tasks”
Reported outcome

GM unified 99% of its source code on GitHub Enterprise Cloud, cut a critical build from four to six hours to 27 minutes, remediated 100% of leaked secrets, and enabled over 8,000 developers to use GitHub Copilot, delivering significant annual savings and allowing engineers to focus on meaningful work.

Reported metrics
Annual savingssignificant annual savings
Critical build timefour to six hours reduced to 27 minutes
Runner image provisioning timemonths reduced to under three days
Exposed secrets discoveredmore than 22,000
Show all 10 reported metrics
annual savingssignificant annual savings
critical build timefour to six hours reduced to 27 minutes
runner image provisioning timemonths reduced to under three days
exposed secrets discoveredmore than 22,000
potential vulnerabilities discoveredover 1.2 million
leaked secrets remediated100%
developers using GitHub Copilotover 8,000
source code unified on single platform99%
legacy code modernization time savedaccomplishing work that could have otherwise taken a year if done with external suppliers
remediation time reductionsignificantly reduced our remediation time
Reported stack
GitHub Enterprise CloudGitHub Advanced SecurityGitHub CopilotGitHub ActionsCodeQLCopilot AutofixCopilot Coding AgentCopilot Code ReviewVS CodeVisual StudioJetBrains suite
Source
https://github.com/customer-stories/general-motors
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

GM unified 99% of its source code on GitHub Enterprise Cloud, cut a critical build from four to six hours to 27 minutes, remediated 100% of leaked secrets, and enabled over 8,000 developers to use GitHub Copilot, deli…

What tools did this team use?

GitHub Enterprise Cloud, GitHub Advanced Security, GitHub Copilot, GitHub Actions, CodeQL, Copilot Autofix, Copilot Coding Agent, Copilot Code Review, VS Code, Visual Studio.

What results were reported?

Annual savings: significant annual savings; Critical build time: four to six hours reduced to 27 minutes; Runner image provisioning time: months reduced to under three days; Exposed secrets discovered: more than 22,000 (source-reported, not independently verified).

What failed first in this deployment?

On-premises infrastructure imposed lengthy build queues with non-elastic shared runners that caused cross-team instability and build failures.

How is this quality assurance AI workflow structured?

Fragmented toolchain identified → Migrate to GitHub Enterprise Cloud → Elastic runners via GitHub Actions → Automated security scanning → Copilot Autofix inline remediation → Copilot-assisted developer coding → Legacy code modernization → Copilot Code Review for PRs.