GitHub launches Copilot Autofix to enhance code security with AI

GitHub has announced the general availability of Copilot Autofix within its GitHub Advanced Security (GHAS) suite. The feature aims to enhance software security by leveraging artificial intelligence (AI) to quickly identify and remedy code vulnerabilities. The function is said to assist developers by both preventing new vulnerabilities and addressing existing issues, a task that typically demands significant human intervention.

Copilot Autofix detects vulnerabilities in code, explains their significance, and provides code suggestions to help developers address these issues. GitHub reports that during the public beta phase, developers were able to fix vulnerabilities over three times faster using the AI tool compared to manual processes.

“Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn’t the problem. Fixing them is,” said Mike Hanley, Chief Security Officer and Senior Vice President of Engineering at GitHub. “With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.”

During the beta period from March to July 2024, GitHub observed substantial reductions in the time required for remediation. For example, the median time for developers to use Copilot Autofix to automatically commit a fix dropped to 28 minutes from 1.5 hours for manual fixes. Cross-site scripting vulnerabilities saw resolution times cut to 22 minutes compared to nearly three hours manually. Similarly, SQL injection vulnerabilities were addressed in 18 minutes compared to 3.7 hours manually.

Optum, a user of Copilot Autofix, has also reported significant improvements. “Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity,” stated Kevin Cooper, Principal Engineer at Optum. “In the healthcare space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation.”

The tool is designed to address both new and existing code vulnerabilities. Developers can generate fixes for various types of vulnerabilities such as SQL injection and cross-site scripting directly within pull requests. This is facilitated by pressing a “Generate fix” button when an alert is triggered in GHAS code scanning. The AI then assesses the code and provides a suggestion, which developers can review and commit with the “Create PR with fix” button.

GitHub asserts that Copilot Autofix utilises the CodeQL engine, GPT-4o, and a mix of heuristics and GitHub Copilot APIs to generate its recommendations. These suggestions are based on a combination of CodeQL analysis and brief code snippets pertinent to the detected vulnerability.

As part of its support for the open source community, GitHub has made Copilot Autofix in pull requests available for free to all open source projects. The company aims to ensure that open source software is safer and more reliable by enabling maintainers to detect and remediate vulnerabilities more efficiently.

GitHub continues to integrate AI into other aspects of its GHAS suite, including improvements in secret scanning and workflows designed to address high volumes of security debt. These enhancements are made available on the platform that developers already use, hoping to bolster both productivity and security.