GitHub has introduced a new public beta feature for Advanced Security customers, named code scanning autofix, aimed at preventing the introduction of new security vulnerabilities. This tool leverages GitHub Copilot and CodeQL to offer precise code suggestions. Key aspects of this feature include:
- Supports over 90% of alert types for JavaScript, Typescript, Java, and Python, providing solutions for more than two-thirds of detected vulnerabilities with minimal adjustments.
- Initially previewed in November 2023, it uses a combination of CodeQL, Copilot APIs, and OpenAI GPT-4 to suggest code modifications.
- GitHub, a Microsoft subsidiary, plans to extend support to additional languages, such as C# and Go.
The benefits and functionality of code scanning autofix:
- Aids developers in fixing vulnerabilities during the coding process by offering potential fixes and natural language explanations for issues detected.
- Recommendations can span beyond the immediate file, suggesting modifications across multiple files and necessary dependencies for a comprehensive solution.
- Simplifies the development process by merging best practice information with detailed codebase and alert insights, offering actionable solutions right from the start.
However, developers are urged to carefully evaluate these recommendations, considering the feature’s current limitations, which include:
- Suggestions that may not be syntactically correct or are placed incorrectly.
- Proposed fixes that could change the program’s semantics or fail to address the root cause, potentially introducing new vulnerabilities.
- Partial solutions, unsupported or insecure dependency recommendations, and arbitrary dependencies that might lead to supply chain attacks.
- GitHub acknowledges the system’s incomplete knowledge of external dependencies, cautioning that it might inadvertently recommend dependencies on malicious software.
This feature underscores GitHub’s commitment to enhancing security while also highlighting the importance of developer oversight in the implementation of suggested fixes.
