HomeWinBuzzer NewsGitHub Advances Security with AI-Powered Autofix for Code Vulnerabilities

GitHub Advances Security with AI-Powered Autofix for Code Vulnerabilities

GitHub's new AI tool, Code Scanning Autofix, suggests fixes for code vulnerabilities in private repos (GitHub Advanced Security).

-

has unveiled a new feature designed to expedite the process of addressing vulnerabilities in code. The feature, known as Code Scanning Autofix, is currently in public beta and is automatically activated for all private repositories held by customers of GitHub Advanced Security (GHAS). Leveraging the capabilities of GitHub Copilot and CodeQL, this AI-powered tool is proficient in handling more than 90% of alert types across several languages, including JavaScript, TypeScript, Java, and Python.

Upon activation, Code Scanning Autofix assesses the code and suggests potential fixes, which GitHub asserts could effectively resolve over two-thirds of detected vulnerabilities with minimal to no modifications required by the developer. Pierre Tempel and Eric Tooley of GitHub explained that when a vulnerability is identified in a supported language, the tool not only suggests a fix but also provides a natural language explanation and a preview of the code suggestion. Developers have the option to accept, modify, or dismiss these suggestions.

Enhancing Developer Efficiency

The tool's suggestions can span changes across individual files, multiple files, and even adjustments to the dependencies of the current project. By adopting such a comprehensive approach, GitHub aims to significantly lower the daily volume of vulnerabilities that security teams need to address. This shift allows these teams to focus more on safeguarding the organization rather than allocating extensive resources to manage new security flaws emerging from the development process.

However, GitHub also cautions that developers should independently verify the effectiveness of the suggested fixes. There's a possibility that some suggestions might only partially mitigate the security issue or could potentially alter the intended functionality of the code. “Code scanning autofix helps organizations slow the growth of this ‘application security debt' by making it easier for developers to fix vulnerabilities as they code,” stated Tempel and Tooley, drawing a parallel with how GitHub Copilot alleviates the burden of repetitive tasks for developers.

Future Expansions and Additional Security Measures

Looking ahead, GitHub plans to extend support for additional programming languages, with C# and Go slated as the next additions. Further information about this innovative tool is available on GitHub's documentation website.

In a related development, GitHub has recently implemented push protection by default for all public repositories. This move aims to prevent the inadvertent exposure of sensitive information, such as access tokens and API keys, a significant concern highlighted by the accidental exposure of 12.8 million authentication and sensitive secrets through public repositories in 2023 alone

Last Updated on May 14, 2024 10:45 am CEST

SourceGitHub
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.