Today marks a significant stride in bug resolution. Following Sentry’s announcement of its AI Autofix feature for debugging production code, GitHub now introduces the beta launch of its code-scanning autofix feature, aimed at identifying and rectifying security vulnerabilities in the coding process. This innovative feature merges the real-time capabilities of GitHub’s Copilot with CodeQL, the company’s semantic code analysis engine, building upon a preview showcased last November.
GitHub assures developers that this system can rectify over two-thirds of the vulnerabilities it detects, often without necessitating manual code edits. Furthermore, the code scanning autofix feature is designed to cover more than 90% of alert types across supported languages, which currently include JavaScript, Typescript, Java, and Python.
Available now for all GitHub Advanced Security (GHAS) customers, this feature aims to streamline development workflows by automating remediation tasks, enabling teams to focus on strategic initiatives while minimizing the volume of everyday vulnerabilities.
Under the hood, the feature leverages GitHub’s CodeQL engine, enabling it to uncover vulnerabilities preemptively, even before code execution. While CodeQL lies at the core of this tool, GitHub acknowledges the role of heuristics and Copilot APIs in suggesting fixes. Moreover, to generate fixes and explanations, GitHub utilizes OpenAI’s GPT-4 model. While the majority of autofix suggestions are expected to be accurate, GitHub acknowledges that a small percentage may result from a misunderstanding of the codebase or the vulnerability.
Reference: https://techcrunch.com/2024/03/20/githubs-latest-ai-tool-that-can-automatically-fix-code-vulnerabilities/