GitHub is introducing a new code scanning autofix tool which can hunt down vulnerabilities in software code in a bid to support developers and ramp up productivity.
The new feature will be available from today in public beta for all GitHub Advanced Security customers, the company confirmed.
Powered by GitHub Copilot and CodeQL, the tool covers more than 90% of alert types in JavaScript, Typescript, Java, and Python programming languages, and can deliver code suggestions that remediate vulnerabilities “with little or no editing”.
CodeQL is the semantic code analysis engine developed by GitHub to automate security checks, and treats code like data, allowing developers to find potential vulnerabilities in code with greater confidence than traditional static analyzers.
Code security scanning tools help to identify vulnerabilities in code, but fixing them involve triaging alerts and checking documentation before working out the fix – all of which can take extra time.
GitHub said the code scanning autofix tool provides developers with an explanation of the problem and code suggestions to remediate it directly in the pull request.
It can explain what feature is causing the flaw, such as ‘user-provided response is directly used in HTTP response without any sanitization’ and then provide a detailed answer on why that is a problem.
The tool can then suggest a fix, offering a preview of the code suggestion that the developer can accept, edit, or dismiss.
Code suggestions can include changes to multiple files and the dependencies that should be added to the project, the firm said. Code scanning autofix uses the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate these suggestions.
GitHub: “Code scanning autofix is the next leap forward” for developers
GitHub said that its GitHub Advanced Security offering helps teams remediate seven times faster than traditional security tools.
“Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation,” the firm said.
Most organizations admit to an “ever-growing” number of vulnerabilities that exist in production repositories, it added. With the launch of the new tool, GitHub said developers will be able to directly tackle 'security debt' and make it easier to fix vulnerabilities as they code.
“Just as GitHub Copilot relieves developers of tedious and repetitive tasks, code scanning autofix will help development teams reclaim time formerly spent on remediation.”
The company further noted that security teams will also benefit from a reduced volume of everyday vulnerabilities.
What next for code scanning autofix?
GitHub said it plans to add support for more programming languages, with C# and Go “up next”.
GitHub Copilot has been one of the most high-profile examples of the rise of generative AI, offering code suggestions to make developers more productive (even if such tools might create more ‘software churn’). More than 50,000 businesses are using GitHub Copilot.
Last month GitHub Copilot Enterprise, aimed at developers in large organizations reached general availability. The enterprise tier includes chat tools personalized to an enterprise’s own codebase, plus documentation search and pull request summaries.
