GitHub has introduced a new public beta feature named “code scanning autofix” for their Advanced Security customers. Powered by GitHub Copilot and CodeQL, the tool is designed to assist developers in rectifying vulnerabilities in a swift and simple manner, tackling the process of application security debt.
Code scanning autofix can support over 90% of alert types for widely used programming languages, such as JavaScript, TypeScript, Python, and Java. Whenever a weakness is identified in one of these languages, developers are presented with a clear language explanation of the suggested fix, complemented by a code suggestion preview. Developers then have the ability to accept, modify, or reject the suggestion. Notably, these code suggestions have demonstrated successful resolution of more than two-thirds of identified vulnerabilities, often with minimal or no edits necessary.
Pierre Tempel and Eric Tooley, who announced the feature via a blog post, have described code scanning autofix as a significant stride in GitHub’s security vision for applications, where “found” translates to “fixed”. By concentrating on the developer experience, the objective is to facilitate teams in addressing vulnerabilities up to seven times faster compared to conventional security tools.
The mechanics of code scanning autofix involve the utilization of the CodeQL engine and a meld of heuristics and GitHub Copilot APIs to spur code suggestions, often implicating changes to multiple files and the requisite addition of dependencies to the project. GitHub has upcoming plans to extend support to additional languages, with C# and Go in the pipeline.
Observation and feedback on user experience with autofix are welcomed by GitHub, which will help to steer further enhancements to the feature. The introduction of code scanning autofix carries benefits for development and security teams alike. Developers will be in a position to reclaim time formerly engaged in remediation, whilst security teams can dedicate focus to safeguarding the business and maintaining pace with the accelerated rhythm of development, thus reducing the volume of routine vulnerabilities.