News

GitHub Copilot AI Boosts App Security with Autofix: 'Found Means Fixed'

Now in beta for top-tier GitHub customers is "code scanning autofix" used to mitigate security vulnerabilities in code. The feature is powered by GitHub Copilot AI, which has advanced from its "AI pair programmer" days to help out with all manner of development-related tasks, including security.

Announced in beta last week, the new functionality is available only to GitHub Enterprise customers who use the Microsoft-owned company's Advanced Security offering that "helps developers fix potential issues before production" with the help of AI.

Basically, code scanning autofix flags pull request vulnerability alerts in certain codebases and then proposes and explains new code that can quickly be inserted by a developer, speeding up the tedious and time-consuming bug-fixing process.

Right now, the beta works only with JavaScript, Typescript, Java and Python, with support planned for C# and Go this week.

When a vulnerability is flagged in one of those languages, the proposed fixes are accompanied by natural language explanations of the suggested fix, along with a preview of the code suggestion that can quickly be accepted, edited or dismissed.

Code Scanning Autofix in Action
[Click on image for larger, animated GIF view.] Code Scanning Autofix in Action (circa November 2023) (source: GitHub).

"Our vision for application security is an environment where found means fixed," GitHub said in a March 20 announcement. "By prioritizing the developer experience in GitHub Advanced Security, we already help teams remediate 7x faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation."

Along with Copilot AI, code scanning autofix is powered by CodeQL, a semantic code analysis engine developed by GitHub to automate security checks by enabling developers to analyze their code and display the results as code scanning alerts.

GitHub Copilot APIs, CodeQL and combined heuristics are all used together to generate code suggestions, explained in last month's engineering blog post, "Fixing security vulnerabilities with AI," which provides "a peek under the hood of GitHub Advanced Security code scanning autofix."

It explains the background technical nuts-and-bolts: "The basic idea behind autofix is simple: when a code analysis tool such as CodeQL detects a problem, we send the affected code and a description of the problem to a large language model (LLM), asking it to suggest code edits that will fix the problem without changing the functionality of the code."

Code scanning autofix is available on private repositories with a working code scanning configuration.

More information can be found in a video, "GitHub code scanning autofix demo," and in "About autofix for CodeQL code scanning" documentation.

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

Subscribe on YouTube