“Automatically Repair Your Code Vulnerabilities with GitHub’s Cutting-Edge AI Tool”

Earlier today, Sentry announced its AI Autofix feature for debugging production code and now, a few hours later, GitHub is launching the first beta of its code scanning autofix feature for finding and fixing security vulnerabilities during the coding process. This new feature combines the real-time capabilities of GitHub’s Copilot with CodeQL, the company’s semantic code analysis engine. The company also promises that code scanning autofix will cover more than 90% of alert types in the languages it supports, which are currently JavaScript, Typescript, Java, and Python. “Just as GitHub Copilot relieves developers of tedious and repetitive tasks, code scanning autofix will help development teams reclaim time formerly spent on remediation,” GitHub writes in today’s announcement. To generate the fixes and their explanations, GitHub uses OpenAI’s GPT-4 model.

<!–

It’s a dark day for pests. Earlier today, Sentry revealed its new AI Autofix feature for debugging live code and now, just a few hours later, GitHub is launching the initial beta of their code scanning autofix feature designed to uncover and amend security vulnerabilities during the coding process. This innovative feature combines GitHub’s real-time capacity with the power of CodeQL, the company’s semantic code analysis engine. It was first teased back in November of last year.

GitHub boasts that this cutting-edge system is capable of remedying over two-thirds of all vulnerabilities detected – oftentimes without developers needing to manually edit any code themselves. The company further guarantees that their new code scanning autofix will target more than 90% of all alert types in the languages they currently support, which are JavaScript, Typescript, Java, and Python.

This groundbreaking feature is now available for all GitHub Advanced Security customers.

“Just like GitHub Copilot allows developers to free themselves from monotonous and repetitive tasks, code scanning autofix gives development teams the ability to save time previously spent on remedying issues,” GitHub wrote in their announcement today. “Security teams will also benefit from a reduction in daily vulnerabilities, allowing them to focus on protecting the company while keeping up with the rapid pace of development.”

In the background, this cutting-edge feature utilizes CodeQL, the semantic analysis engine developed by GitHub to detect vulnerabilities in code before it is ever executed. The company made an early version of CodeQL openly accessible to the public back in late 2019 after acquiring the code analysis startup Semmle, where CodeQL was originally created. Over the years, GitHub has made numerous advancements to CodeQL, with one mainstay being that it was only available for free to researchers and open-source developers.

Now, CodeQL lies at the core of this groundbreaking tool, though GitHub also mentions that they use “a combination of heuristics and GitHub Copilot APIs” to provide suggestions for fixes. To generate the actual fixes and their detailed explanations, GitHub utilizes OpenAI’s GPT-4 model. Although GitHub is confident in the accuracy of the vast majority of autofix suggestions, the company acknowledges that “a small percentage of suggestions may indicate a lack of understanding of the codebase or the vulnerability itself.”