News

GitHub Copilot AI Boosts App Security with Autofix: 'Found Means Fixed'

Now in beta for top-tier GitHub customers is "code scanning autofix" used to mitigate security vulnerabilities in code. The feature is powered by GitHub Copilot AI, which has advanced from its "AI pair programmer" days to help out with all manner of development-related tasks, including security.

Announced in beta last week, the new functionality is available only to GitHub Enterprise customers who use the Microsoft-owned company's Advanced Security offering that "helps developers fix potential issues before production" with the help of AI.

Basically, code scanning autofix flags pull request vulnerability alerts in certain codebases and then proposes and explains new code that can quickly be inserted by a developer, speeding up the tedious and time-consuming bug-fixing process.

Right now, the beta works only with JavaScript, Typescript, Java and Python, with support planned for C# and Go this week.

When a vulnerability is flagged in one of those languages, the proposed fixes are accompanied by natural language explanations of the suggested fix, along with a preview of the code suggestion that can quickly be accepted, edited or dismissed.

Code Scanning Autofix in Action
[Click on image for larger, animated GIF view.] Code Scanning Autofix in Action (circa November 2023) (source: GitHub).

"Our vision for application security is an environment where found means fixed," GitHub said in a March 20 announcement. "By prioritizing the developer experience in GitHub Advanced Security, we already help teams remediate 7x faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation."

Along with Copilot AI, code scanning autofix is powered by CodeQL, a semantic code analysis engine developed by GitHub to automate security checks by enabling developers to analyze their code and display the results as code scanning alerts.

GitHub Copilot APIs, CodeQL and combined heuristics are all used together to generate code suggestions, explained in last month's engineering blog post, "Fixing security vulnerabilities with AI," which provides "a peek under the hood of GitHub Advanced Security code scanning autofix."

It explains the background technical nuts-and-bolts: "The basic idea behind autofix is simple: when a code analysis tool such as CodeQL detects a problem, we send the affected code and a description of the problem to a large language model (LLM), asking it to suggest code edits that will fix the problem without changing the functionality of the code."

Code scanning autofix is available on private repositories with a working code scanning configuration.

More information can be found in a video, "GitHub code scanning autofix demo," and in "About autofix for CodeQL code scanning" documentation.

About the Author

David Ramel is an editor and writer at Converge 360.

comments powered by Disqus

Featured

  • IDE Irony: Coding Errors Cause 'Critical' Vulnerability in Visual Studio

    In a larger-than-normal Patch Tuesday, Microsoft warned of a "critical" vulnerability in Visual Studio that should be fixed immediately if automatic patching isn't enabled, ironically caused by coding errors.

  • Building Blazor Applications

    A trio of Blazor experts will conduct a full-day workshop for devs to learn everything about the tech a a March developer conference in Las Vegas keynoted by Microsoft execs and featuring many Microsoft devs.

  • Gradient Boosting Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the gradient boosting regression technique, where the goal is to predict a single numeric value. Compared to existing library implementations of gradient boosting regression, a from-scratch implementation allows much easier customization and integration with other .NET systems.

  • Microsoft Execs to Tackle AI and Cloud in Dev Conference Keynotes

    AI unsurprisingly is all over keynotes that Microsoft execs will helm to kick off the Visual Studio Live! developer conference in Las Vegas, March 10-14, which the company described as "a must-attend event."

  • Copilot Agentic AI Dev Environment Opens Up to All

    Microsoft removed waitlist restrictions for some of its most advanced GenAI tech, Copilot Workspace, recently made available as a technical preview.

Subscribe on YouTube