GitHub Copilot AI Boosts App Security with Autofix: 'Found Means Fixed'

Now in beta for top-tier GitHub customers is "code scanning autofix" used to mitigate security vulnerabilities in code. The feature is powered by GitHub Copilot AI, which has advanced from its "AI pair programmer" days to help out with all manner of development-related tasks, including security.

Announced in beta last week, the new functionality is available only to GitHub Enterprise customers who use the Microsoft-owned company's Advanced Security offering that "helps developers fix potential issues before production" with the help of AI.

Basically, code scanning autofix flags pull request vulnerability alerts in certain codebases and then proposes and explains new code that can quickly be inserted by a developer, speeding up the tedious and time-consuming bug-fixing process.

Right now, the beta works only with JavaScript, Typescript, Java and Python, with support planned for C# and Go this week.

When a vulnerability is flagged in one of those languages, the proposed fixes are accompanied by natural language explanations of the suggested fix, along with a preview of the code suggestion that can quickly be accepted, edited or dismissed.

Code Scanning Autofix in Action
[Click on image for larger, animated GIF view.] Code Scanning Autofix in Action (circa November 2023) (source: GitHub).

"Our vision for application security is an environment where found means fixed," GitHub said in a March 20 announcement. "By prioritizing the developer experience in GitHub Advanced Security, we already help teams remediate 7x faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation."

Along with Copilot AI, code scanning autofix is powered by CodeQL, a semantic code analysis engine developed by GitHub to automate security checks by enabling developers to analyze their code and display the results as code scanning alerts.

GitHub Copilot APIs, CodeQL and combined heuristics are all used together to generate code suggestions, explained in last month's engineering blog post, "Fixing security vulnerabilities with AI," which provides "a peek under the hood of GitHub Advanced Security code scanning autofix."

It explains the background technical nuts-and-bolts: "The basic idea behind autofix is simple: when a code analysis tool such as CodeQL detects a problem, we send the affected code and a description of the problem to a large language model (LLM), asking it to suggest code edits that will fix the problem without changing the functionality of the code."

Code scanning autofix is available on private repositories with a working code scanning configuration.

More information can be found in a video, "GitHub code scanning autofix demo," and in "About autofix for CodeQL code scanning" documentation.

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus


  • Creating Reactive Applications in .NET

    In modern applications, data is being retrieved in asynchronous, real-time streams, as traditional pull requests where the clients asks for data from the server are becoming a thing of the past.

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

Subscribe on YouTube