News

GitHub Copilot AI Boosts App Security with Autofix: 'Found Means Fixed'

Now in beta for top-tier GitHub customers is "code scanning autofix" used to mitigate security vulnerabilities in code. The feature is powered by GitHub Copilot AI, which has advanced from its "AI pair programmer" days to help out with all manner of development-related tasks, including security.

Announced in beta last week, the new functionality is available only to GitHub Enterprise customers who use the Microsoft-owned company's Advanced Security offering that "helps developers fix potential issues before production" with the help of AI.

Basically, code scanning autofix flags pull request vulnerability alerts in certain codebases and then proposes and explains new code that can quickly be inserted by a developer, speeding up the tedious and time-consuming bug-fixing process.

Right now, the beta works only with JavaScript, Typescript, Java and Python, with support planned for C# and Go this week.

When a vulnerability is flagged in one of those languages, the proposed fixes are accompanied by natural language explanations of the suggested fix, along with a preview of the code suggestion that can quickly be accepted, edited or dismissed.

Code Scanning Autofix in Action
[Click on image for larger, animated GIF view.] Code Scanning Autofix in Action (circa November 2023) (source: GitHub).

"Our vision for application security is an environment where found means fixed," GitHub said in a March 20 announcement. "By prioritizing the developer experience in GitHub Advanced Security, we already help teams remediate 7x faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation."

Along with Copilot AI, code scanning autofix is powered by CodeQL, a semantic code analysis engine developed by GitHub to automate security checks by enabling developers to analyze their code and display the results as code scanning alerts.

GitHub Copilot APIs, CodeQL and combined heuristics are all used together to generate code suggestions, explained in last month's engineering blog post, "Fixing security vulnerabilities with AI," which provides "a peek under the hood of GitHub Advanced Security code scanning autofix."

It explains the background technical nuts-and-bolts: "The basic idea behind autofix is simple: when a code analysis tool such as CodeQL detects a problem, we send the affected code and a description of the problem to a large language model (LLM), asking it to suggest code edits that will fix the problem without changing the functionality of the code."

Code scanning autofix is available on private repositories with a working code scanning configuration.

More information can be found in a video, "GitHub code scanning autofix demo," and in "About autofix for CodeQL code scanning" documentation.

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Subscribe on YouTube