Which statement best describes CodeQL scanning in PRs?

CodeQL scanning in pull requests focuses on analyzing the changes introduced by a PR to identify security vulnerabilities before the code is merged. It works by examining the modified code paths in the PR and applying CodeQL queries to spot potential issues, so teams can remediate them early rather than after merge. This helps catch regressions or new flaws caused by the specific changes in that PR, rather than scanning the whole repository post-merge. The results are surfaced directly in the PR checks, often enabling automated gatekeeping—critical issues can block merging or prompt immediate fixes. It’s not about updating dependencies, publishing release notes, or running only after merges; its purpose is to detect vulnerabilities introduced by the changes in the PR so security concerns are addressed as part of the review process.