GitHub recently introduced a new AI-powered feature called Code Scanning Autofix, which aims to assist developers in identifying and resolving security vulnerabilities during the coding process. This feature combines GitHub's real-time capabilities with Copilot and CodeQL, the company's semantic code analysis engine. It is designed to offer targeted recommendations and generate potential fixes for more than 90% of alert types in JavaScript, Typescript, Java, and Python.

Key points from the sources:

  • Code Scanning Autofix was initially previewed in November 2023 and became available in public beta for all GitHub Advanced Security customers as of March 20th, 2024.
  • The system can reportedly remediate more than two-thirds of the vulnerabilities it detects, often without requiring manual edits from developers.
  • Fixes are generated using a combination of heuristics, GitHub Copilot APIs, and OpenAI's GPT-4 model.
  • Although the system is expected to deliver accurate solutions, there may still be cases where suggested fixes do not fully address vulnerabilities or introduce new ones.
  • Users can expect support for additional programming languages, such as C# and Go, in the future.
  • The feature is subject to change during the beta phase and is currently restricted to JavaScript, TypeScript, Python, and Java alerts identified by CodeQL.
  • Code Scanning Autofix does not require a separate subscription to GitHub Copilot; it is available to enterprise accounts with GitHub Advanced Security.

Developers are encouraged to carefully review and evaluate the suggested fixes before accepting them, as the system may suggest fixes that are not syntactically correct, are located incorrectly, or may introduce new vulnerabilities.