GitHub Launches AI-Powered Autofix Instrument to Help Devs in Patching Safety Flaws

AI-Powered Autofix Tool

GitHub on Wednesday introduced that it is making accessible a function known as code scanning autofix in public beta for all Advanced Security customers to supply focused suggestions in an effort to keep away from introducing new safety points.

“Powered by GitHub Copilot and CodeQL, code scanning autofix covers greater than 90% of alert varieties in JavaScript, Typescript, Java, and Python, and delivers code ideas proven to remediate greater than two-thirds of discovered vulnerabilities with little or no modifying,” GitHub’s Pierre Tempel and Eric Tooley said.

The aptitude, first previewed in November 2023, leverages a mixture of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code ideas. The Microsoft-owned subsidiary additionally stated it plans so as to add assist for extra programming languages, together with C# and Go, sooner or later.

Code scanning autofix is designed to assist builders repair vulnerabilities as they code by producing potential fixes in addition to offering a pure language rationalization when a difficulty is found in a supported language.


These ideas may transcend the present file to incorporate adjustments to a number of different information and the dependencies that needs to be added to rectify the issue.

“Code scanning autofix lowers the barrier of entry to builders by combining info on greatest practices with particulars of the codebase and alert to recommend a possible repair to the developer,” the corporate said.

“As an alternative of beginning with a seek for details about the vulnerability, the developer begins with a code suggestion that demonstrates a possible answer for his or her codebase.”

That stated, it is left to the developer to guage the suggestions and decide if it is the appropriate answer and be sure that it doesn’t deviate from its supposed habits.

GitHub additionally emphasised the present limitations of the autofix code ideas, making it crucial that builders rigorously overview the adjustments and the dependencies earlier than accepting them –

  • Counsel fixes that aren’t syntactically right code adjustments
  • Counsel fixes which are syntactically right code however are recommended on the incorrect location
  • Counsel fixes which are syntactically legitimate however that change the semantics of this system
  • Counsel fixes which are fail to deal with the foundation trigger, or introduce new vulnerabilities
  • Counsel fixes that solely partially resolve the underlying flaw
  • Counsel unsupported or insecure dependencies
  • Counsel arbitrary dependencies, resulting in potential provide chain assaults

“The system has incomplete information of the dependencies revealed within the wider ecosystem,” the corporate famous. “This could result in ideas that add a brand new dependency on malicious software program that attackers have revealed beneath a statistically possible dependency title.”

Notify of
Inline Feedbacks
View all comments
Previous Post
Vendor Risk Assessments

The way to Speed up Vendor Danger Assessments within the Age of SaaS Sprawl

Next Post
Tunnel-Keylogger - Keylogging Server And Client That Uses DNS Tunneling/Exfiltration To Transmit Keystrokes

Tunnel-Keylogger – Keylogging Server And Shopper That Makes use of DNS Tunneling/Exfiltration To Transmit Keystrokes

Related Posts