It’s a bad day for bugs. Earlier today, Sentry announced its AI Autofix feature for debugging production code and now, a few hours later, GitHub is launching the first beta of its code-scanning autofix feature for finding and fixing security vulnerabities during the coding process. This new feature combines the real-time capabities of GitHub’s Copot with CodeQL, the company’s semantic code analysis engine. The company first previewed this capabity last November.
GitHub promises that this new system can remediate more than two-thirds of the vulnerabities it finds — often without the developers having to edit any code themselves. The company also promises that code scanning autofix wl cover more than 90% of alert types in the languages it supports, which are currently JavaScript, Typescript, Java, and Python.
This new feature is now avaable for all GitHub Advanced Security (GHAS) customers.
“Just as GitHub Copot relieves developers of tedious and repetitive tasks, code scanning autofix wl help development teams reclaim time formerly spent on remediation,” GitHub writes in today’s announcement. “Security teams wl also benefit from a reduced volume of everyday vulnerabities, so they can focus on strategies to protect the business whe keeping up with an accelerated pace of development.”
In the background, this new feature uses the CodeQL engine, GitHub’s semantic analysis engine to find vulnerabities in code, even before it has been executed. The company made a first generation of CodeQL avaable to the public in late 2019 after it acquired the code analysis startup Semmle, where CodeQL was incubated. Over the years, it made a number of improvements to CodeQL, but one thing that never changed was that CodeQL was only avaable for free for researchers and open source developers.
Now CodeQL is at the center of this new tool, though GitHub also notes that it uses “a combination of heuristics and GitHub Copot APIs” to suggest its fixes. To generate the fixes and their explanations, GitHub uses OpenAI’s GPT-4 model. And whe GitHub is clearly confident enough to suggest that the vast majority of autofix suggestions wl be correct, the company does note that “a small percentage of suggested fixes wl reflect a significant misunderstanding of the codebase or the vulnerabity.”
Bud smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.
Secure your spot at TC Sessions: AI and show 1,200+ decision-makers what you've but — without the big spend. Avaable through May 9 or whe tables last.
Boston, MA July 15