GitHub introduces code scanning Autofix, powered by Copilot and CodeQL

March 21, 2024: GitHub has a brand new feature called “ Code scan autofixwhich is now available to everyone in public beta Advanced GitHub security Customers.

The feature is supported by GitHub Copilot and CodeQLThe goal is to assist developers fix vulnerabilities faster and easier, thereby reducing the growing problem of “application security debt.”

Code scan auto-correction supports greater than 90% of alert types in popular programming languages ​​reminiscent of JavaScript, TypeScript, Java and Python.

When a vulnerability is discovered in one in every of these languages, the feature provides developers with a natural language explanation of the proposed fix in addition to a preview of the proposed code.

Developers can then accept, edit or reject the suggestion. What’s notable is that these code suggestions have been proven to repair greater than two-thirds of the vulnerabilities found without requiring any editing.

Pierre Tempel and Eric Tooley, authors of the blog post announcing the feature, say that automatic code scan remediation is “the following step forward” in GitHub’s vision for application security, where “found means fixed.”

By prioritizing developer experience, the corporate goals to assist teams remediate vulnerabilities as much as seven times faster than traditional security tools.

Behind the scenes, Code scan autofix uses the CodeQL engine and a mixture of heuristics and GitHub Copilot APIs to generate code suggestions.

These suggestions may include changes to multiple files and the dependencies that must be added to the project.

GitHub plans to proceed adding support for more languages, with C# and Go coming next.

The company encourages users to take part in the Autofix feedback and resources discussion to share their experiences and drive further improvements to the feature.

The introduction of the automated code scanning feature is predicted to profit each development and security teams.

Developers can reclaim the time previously spent on remediation, while security teams can deal with protecting the business and maintaining with the accelerated pace of development by reducing the quantity of on a regular basis vulnerabilities.