GitHub launches code-scanning autofix tool

GitHub has launched a new code-scanning autofix solution powered by its GitHub Copilot AI-based code completion tool.

The new functionality will help developers uncover and automatically fix more than 90% of alert types across the JavaScript, Typescript, Java and Python programming languages. The tool also delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing.

When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested change along with a preview of the code suggestion for a developer to accept, edit or dismiss.

The code suggestions can also include changes to multiple files and the dependencies that should be added to the project.

The tool uses the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. GitHub plans to augment the tool with support for more languages going forward, including C+ and Go as the next languages to be supported.

GitHub Senior Product Marketing Manager Eric Tooley said the new tool is designed to help fulfil the company’s vision for application security, which is an environment where ‘found’ means ‘fixed’.

“By prioritising the developer experience in GitHub Advanced Security, we are already helping teams remediate seven times faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation,” he said.

“Even though applications remain a leading attack vector, most organisations admit to an ever-growing number of unremediated vulnerabilities that exist in production repositories. Code-scanning autofix helps organisations slow the growth of this ‘application security debt’ by making it easier for developers to fix vulnerabilities as they code.”

Image credit: iStock.com/Chainarong Prasertthai