GitHub on Wednesday announced that it’s making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues.
“Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing,” GitHub’s Pierre Tempel and Eric Tooley said.
The capability, first previewed in November 2023, leverages a combination of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions. The Microsoft-owned subsidiary also said it plans to add support for more programming languages, including C# and Go, in the future.
Code scanning autofix is designed to help developers resolve vulnerabilities as they code by generating potential fixes as well as providing a natural language explanation when an issue is discovered in a supported language.
These suggestions could go beyond the current file to include changes to several other files and the dependencies that should be added to rectify the problem.
“Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer,” the company said.
“Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase.”
That said, it’s left to the developer to evaluate the recommendations and determine if it’s the right solution and ensure that it does not deviate from its intended behavior.
GitHub also emphasized the current limitations of the autofix code suggestions, making it imperative that developers carefully review the changes and the dependencies before accepting them –
- Suggest fixes that are not syntactically correct code changes
- Suggest fixes that are syntactically correct code but are suggested at the incorrect location
- Suggest fixes that are syntactically valid but that change the semantics of the program
- Suggest fixes that are fail to address the root cause, or introduce new vulnerabilities
- Suggest fixes that only partially resolve the underlying flaw
- Suggest unsupported or insecure dependencies
- Suggest arbitrary dependencies, leading to possible supply chain attacks
“The system has incomplete knowledge of the dependencies published in the wider ecosystem,” the company noted. “This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.”