GitHub has introduced a beta version of its code-scanning autofix feature, designed to identify and rectify security vulnerabilities as code is being written. This innovative tool integrates GitHub’s Copilot and CodeQL, the latter being a semantic code analysis engine acquired from Semmle. The autofix system is reported to fix over two-thirds of detected vulnerabilities, often without developer intervention, and is said to address more than 90% of alert types for supported languages, including JavaScript, Typescript, Java, and Python.
Available to GitHub Advanced Security customers, the feature aims to save developers time on remediation and allows security teams to concentrate on higher-level protective strategies. The tool leverages CodeQL for vulnerability detection and employs heuristics and GitHub Copilot APIs for fix suggestions. These suggestions are generated using OpenAI’s GPT-4 model. While GitHub is confident in the accuracy of the autofix recommendations, it acknowledges that a small percentage may not fully grasp the codebase or the vulnerability at hand.
Read more at TechCrunch…