AI-Powered Code Scanning Autofix Debuts On GitHub

On Wednesday, GitHub made the announcement that it will be making a feature on a code scanning autofix accessible in public beta for all Advanced Security clients. The purpose of this function is to make individualised recommendations in an effort to prevent the introduction of new security vulnerabilities.

“Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing,” GitHub’s Pierre Tempel in conjunction with Eric Tooley said.

CodeQL, Copilot APIs, and OpenAI GPT-4 are the three components that are utilized in the generation of code suggestions by this feature, which was initially demonstrated in November of 2023. In addition, the company that is owned by Microsoft has stated that it intends to make support available for additional programming languages in the future, including C# and Go.

It is possible that these recommendations will extend beyond the present file and involve modifications to a number of other files as well as the dependencies that need to be added in order to successfully resolve the issue.

“Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer,” the business stated in its announcement.

Having said that, it is the responsibility of the developer to assess the recommendations, establish whether or not it is the appropriate answer, and make certain that it does not move away from the behavior that was intended for it.

The purpose of code scanning autofix is to assist developers in fixing vulnerabilities as they are writing code. It does this by generating potential patches and providing a natural language explanation if a problem is found in a language that is supported.

Additionally, GitHub stressed the restrictions that are currently associated with the autofix code suggestions. As a result, it is absolutely necessary for developers to first thoroughly analyze the changes and the dependencies before accepting them.

• Modifications to the code that are not syntactically accurate should be suggested.
• Make suggestions for fixes that are syntactically correct code but are proposed in the wrong area.
• Please make suggestions for fixes that are valid from a syntactical standpoint but alter the semantics of the program.
• It is recommended that you propose patches that do not address the underlying cause or that introduce new vulnerabilities.
• Make recommendations for remedies that will only partially address the fundamental problem.
• Recommend dependencies that are either not supported or risky.
• Suggest arbitrary dependencies, which could result in assaults on the supply chain.

“The system has incomplete knowledge of the dependencies published in the wider ecosystem,” the business stated in its announcement. “This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.” 

SOURCE