GitHub has unveiled a new feature designed to expedite the process of addressing vulnerabilities in code. The feature, known as Code Scanning Autofix, is currently in public beta and is automatically activated for all private repositories held by customers of GitHub Advanced Security (GHAS). Leveraging the capabilities of GitHub Copilot and CodeQL, this AI-powered tool is proficient in handling more than 90% of alert types across several programming languages, including JavaScript, TypeScript, Java, and Python.
Upon activation, Code Scanning Autofix assesses the code and suggests potential fixes, which GitHub asserts could effectively resolve over two-thirds of detected vulnerabilities with minimal to no modifications required by the developer. Pierre Tempel and Eric Tooley of GitHub explained that when a vulnerability is identified in a supported language, the tool not only suggests a fix but also provides a natural language explanation and a preview of the code suggestion. Developers have the option to accept, modify, or dismiss these suggestions.
Enhancing Developer Efficiency
The tool's suggestions can span changes across individual files, multiple files, and even adjustments to the dependencies of the current project. By adopting such a comprehensive approach, GitHub aims to significantly lower the daily volume of vulnerabilities that security teams need to address. This shift allows these teams to focus more on safeguarding the organization rather than allocating extensive resources to manage new security flaws emerging from the development process.
However, GitHub also cautions that developers should independently verify the effectiveness of the suggested fixes. There's a possibility that some suggestions might only partially mitigate the security issue or could potentially alter the intended functionality of the code. “Code scanning autofix helps organizations slow the growth of this ‘application security debt' by making it easier for developers to fix vulnerabilities as they code,” stated Tempel and Tooley, drawing a parallel with how GitHub Copilot alleviates the burden of repetitive tasks for developers.
Future Expansions and Additional Security Measures
Looking ahead, GitHub plans to extend support for additional programming languages, with C# and Go slated as the next additions. Further information about this innovative tool is available on GitHub's documentation website.
In a related development, GitHub has recently implemented push protection by default for all public repositories. This move aims to prevent the inadvertent exposure of sensitive information, such as access tokens and API keys, a significant concern highlighted by the accidental exposure of 12.8 million authentication and sensitive secrets through public repositories in 2023 alone
Last Updated on May 14, 2024 10:45 am CEST