Developers relying on GitHub Copilot could be creating dangerously flawed code

Female software developer using GitHub Copilot AI assistant on computer station with screen reflection in her spectacles.
(Image credit: Getty Images)

GitHub Copilot could be exacerbating software vulnerabilities due to the generative AI assistant’s tendency to replicate insecure code, researchers have warned. 

Analysis from Snyk found that AI coding assistants such as GitHub Copilot can learn to imitate problematic patterns or utilize vulnerable material within a developer’s system of code. 

If developers are inputting code into GitHub that has security issues or technical problems, then the AI model can succumb to the “broken windows” theory by taking inspiration from its problematic surroundings.

In essence, if GitHub Copilot is fed with prompts containing vulnerable material, then it will learn to regurgitate that material in response to user interactions.  

Generative AI coding assistants, such as Copilot, don’t actually understand code semantics and, as a result, cannot judge it,” researchers said.

By way of evidence, Snyk highlighted an example in which Copilot utilized the “neighboring tabs” feature to access code for the purposes of context. 

In this instance, the code in question already contained security flaws. Copilot then went on to amplify these security vulnerabilities in its following suggestions, leaving the developer at risk of SQL injection. 

“This means that existing security debt in a project can make insecure developers using Copilot even less secure,” said Snyk.  

The exacerbation of security issues through GitHub should be a concern to developers for several key reasons, researchers said. 

RELATED WHITEPAPER

Inexperienced or insecure developers, for example, could begin to develop bad habits as Copilot’s code suggestions reinforce mistakes or poor developer practice.

In a similar way, Copilot could pick up on coding patterns that, though previously acceptable, may have become outdated and vulnerable. 

AI coding assistants also breed a culture which lacks oversight, the study suggested, meaning problematic code may not be checked and so could be proliferated extensively. 

According to Snyk, data suggests that the average commercial project has around 40 vulnerabilities in first-party code, setting the perfect stage for the amplification of flaws if developers are diligent.

Coding assistants like GitHub Copilot should be used with caution

Snyk advised developers to fix issues at the source by ensuring their code is up-to-date and secure. 

“Copilot is less likely to suggest insecure code in projects without security issues, as it has less insecure code context to draw from,” said Snyk. 

The company also suggested some more specific mitigation methods for the various departments which this issue could affect. 

For example, developers should “conduct manual reviews” of code generated by coding assistants that include within them comprehensive security assessments and vulnerability rectifications. This will help reduce oversight blind spots, researchers suggested.  

Security teams, on the other hand, should put static application security testing (SAST) guardrails in place that contain policies for development teams to work to. 

Security teams can also help to provide training and awareness to development teams, as well as “prioritize and triage” the backlog of development team issues. 

TOPICS
George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.