- GitHub launches the first beta of its code-scanning autofix feature for finding and fixing security vulnerabilities during the coding process.
- This new feature combines the real-time capabilities of GitHub’s Copilot with CodeQL, the company’s semantic code analysis engine.
GitHub on Wednesday announced that it’s making a feature called code scanning auto-fix in public beta for all Advanced Security customers to provide targeted recommendations to avoid introducing new security issues.
Work with Copilot
“Powered by GitHub Copilot and CodeQL, code scanning auto-fix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing,” GitHub’s Pierre Tempel and Eric Tooley said.
The capability, first previewed in November 2023, leverages a combination of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions. The Microsoft-owned subsidiary also said it plans to add support for more programming languages, including C# and Go, in the future.
This new feature is now available for all GitHub Advanced Security (GHAS) customers.
Also read: Chinese AI chatbot Kimi handles 2 million characters, up from 200k
Also read: Microsoft hires DeepMind co-founder Mustafa Suleyman as CEO of new AI unit
Pros and cons
“Just as GitHub Copilot relieves developers of tedious and repetitive tasks, code scanning autofix will help development teams reclaim time formerly spent on remediation,” GitHub writes in today’s announcement.
“Security teams will also benefit from a reduced volume of everyday vulnerabilities, so they can focus on strategies to protect the business while keeping up with an accelerated pace of development.”
Now CodeQL is at the centre of this new tool, though GitHub also notes that it uses “a combination of heuristics and GitHub Copilot APIs” to suggest its fixes.
And while GitHub is confident enough to suggest that the vast majority of autofix suggestions will be correct, the company does note that “a small percentage of suggested fixes will reflect a significant misunderstanding of the codebase or the vulnerability.”
