You are currently viewing GitHub’s most recent artificial intelligence tool has the ability to automatically correct coding vulnerabilities.

GitHub’s most recent artificial intelligence tool has the ability to automatically correct coding vulnerabilities.

Today marks a significant advancement in debugging and securing code. Sentry introduced its AI Autofix for debugging production code earlier, and now GitHub follows suit with the beta release of its code-scanning autofix feature aimed at identifying and resolving security vulnerabilities during the coding process. This innovation merges GitHub’s Copilot’s real-time capabilities with its semantic code analysis engine, CodeQL, as first teased in November. GitHub assures users that this system can rectify over two-thirds of detected vulnerabilities, often without developers needing to manually modify any code. Moreover, the code scanning autofix is designed to address more than 90% of alert types across supported languages, which currently include JavaScript, TypeScript, Java, and Python. This functionality is now accessible to all GitHub Advanced Security (GHAS) customers.

In today’s announcement, GitHub highlights that just as GitHub Copilot aids developers in alleviating tedious and repetitive tasks, the introduction of code scanning autofix will similarly assist development teams in reclaiming time that was previously dedicated to remediation efforts. Moreover, security teams stand to gain from a decrease in the frequency of routine vulnerabilities, enabling them to concentrate on devising strategies to safeguard the business amidst the faster pace of development.

Behind the scenes, this new feature utilizes GitHub’s semantic analysis engine, CodeQL, to detect vulnerabilities in code preemptively, before it is executed. GitHub initially introduced a version of CodeQL to the public in late 2019 following its acquisition of the code analysis startup Semmle, which originally developed CodeQL. While GitHub has continuously enhanced CodeQL over the years, one aspect remained consistent: CodeQL was only accessible for free to researchers and open source developers.

Presently, CodeQL plays a central role in this new tool, although GitHub acknowledges its utilization of a combination of heuristics and GitHub Copilot APIs” to propose fixes. For generating the fixes and their explanations, GitHub employs OpenAI’s GPT-4 model. Despite GitHub’s evident confidence in the accuracy of most autofix suggestions, the company acknowledges that “a small percentage of suggested fixes may indicate a significant misunderstanding of the codebase or the vulnerability.

Leave a Reply