“Found means fixed” – GitHub launches Copilot-powered code scanning autofix
Now in public beta for GitHub Advanced Security customers, code scanning autofix helps developers remediate more than two-thirds of supported alerts with little or no editing.
GitHub, the world’s leading AI-powered developer platform, has announced that code scanning autofix is available in public beta for all GitHub Advanced Security customers. Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing.
Eric Tooley, Senior Product Marketing Manager, GitHub, said: “Our vision for application security is an environment where ‘found means fixed’. By prioritizing the developer experience in GitHub Advanced Security, we are already helping teams remediate 7x faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation.
“Even though applications remain a leading attack vector, most organizations admit to an ever-growing number of unremediated vulnerabilities that exist in production repositories. Code scanning autofix helps organizations slow the growth of this ‘application security debt’ by making it easier for developers to fix vulnerabilities as they code,” adds Tooley.
Just as GitHub Copilot relieves developers of tedious and repetitive tasks, code scanning autofix will help development teams reclaim time formerly spent on remediation. Security teams will also benefit from a reduced volume of everyday vulnerabilities, so they can focus on strategies to protect the business while keeping up with an accelerated pace of development.
When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss. In addition to changes to the current file, these code suggestions can include changes to multiple files and the dependencies that should be added to the project.
Behind the scenes, code scanning autofix leverages the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. To learn more about autofix and its data sources, capabilities, and limitations, check out About autofix for CodeQL code scanning.
GitHub will continue to add support for more languages, with C# and Go up next. Developers can join the autofix feedback and resources discussion to share their experiences and help guide further improvements to the autofix experience. GitHub is committed to moving application security closer to a place where a vulnerability found means a vulnerability fixed.
Resources: GitHub has published extensive resources and documentation about the system architecture, data flow, and AI policies governing code scanning autofix.
- Engineering blog: Fixing security vulnerabilities with AI
- Documentation: About autofix for CodeQL code scanning
- Discussion: Autofix feedback and resources
About GitHub
As the global home for all developers, GitHub is the complete developer platform to build, scale, and deliver secure software. Over 100 million people, including developers from 90 of the Fortune 100 companies, use GitHub to build amazing things together across 330+ million repositories. With all the collaborative features of GitHub, it’s never been easier for individuals and teams to write faster, better code.
