GitHub is introducing a new code scanning autofix tool which can hunt down vulnerabilities in software code in a bid to support developers and ramp up productivity.
The new feature will be available from today in public beta for all GitHub Advanced Security customers, the company confirmed.
Powered by GitHub Copilot and CodeQL, the tool covers more than 90% of alert types in JavaScript, Typescript, Java, and Python programming languages, and can deliver code suggestions that remediate vulnerabilities “with little or no editing”.
CodeQL is the semantic code analysis engine developed by GitHub to automate security checks, and treats code like data, allowing developers to find potential vulnerabilities in code with greater confidence than traditional static analyzers.
Code security scanning tools help to identify vulnerabilities in code, but fixing them involve triaging alerts and checking documentation before working out the fix – all of which can take extra time.
GitHub said the code scanning autofix tool provides developers with an explanation of the problem and code suggestions to remediate it directly in the pull request.
It can explain what feature is causing the flaw, such as ‘user-provided response is directly used in HTTP response without any sanitization’ and then provide a detailed answer on why that is a problem.
The tool can then suggest a fix, offering a preview of the code suggestion that the developer can accept, edit, or dismiss.
Code suggestions can include changes to multiple files and the dependencies that should be added to the project, the firm said. Code scanning autofix uses the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate these suggestions.
GitHub: “Code scanning autofix is the next leap forward” for developers
GitHub said that its GitHub Advanced Security offering helps teams remediate seven times faster than traditional security tools.
“Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation,” the firm said.
RELATED WHITEPAPER
Most organizations admit to an “ever-growing” number of vulnerabilities that exist in production repositories, it added. With the launch of the new tool, GitHub said developers will be able to directly tackle 'security debt' and make it easier to fix vulnerabilities as they code.
“Just as GitHub Copilot relieves developers of tedious and repetitive tasks, code scanning autofix will help development teams reclaim time formerly spent on remediation.”
The company further noted that security teams will also benefit from a reduced volume of everyday vulnerabilities.
What next for code scanning autofix?
GitHub said it plans to add support for more programming languages, with C# and Go “up next”.
GitHub Copilot has been one of the most high-profile examples of the rise of generative AI, offering code suggestions to make developers more productive (even if such tools might create more ‘software churn’). More than 50,000 businesses are using GitHub Copilot.
Last month GitHub Copilot Enterprise, aimed at developers in large organizations reached general availability. The enterprise tier includes chat tools personalized to an enterprise’s own codebase, plus documentation search and pull request summaries.
-
"I LOVE this company!" Looking back on 50 years of tech giant MicrosoftOpinion There have been highs, lows, laughs and lots of success in the past 5 decades for the Redmond-headquartered firm
-
Verizon Call Filter API flaw could’ve exposed millions of Americans’ call recordsNews A security flaw in Verizon's Call Filter app could’ve allowed threat actors to access details of incoming calls for another user, a security researcher has found.
-
Turns out AI isn't that popular at work – just 4% of workers use the technology in the majority of daily tasks, but developers are among the top early adoptersNews Research from Anthropic shows that while AI adoption is sluggish in most professions, software developers and writers are very keen.
-
GitHub's new 'Agent Mode' feature lets AI take the reins for developersNews GitHub has unveiled the launch of 'Agent Mode' - a new agentic AI feature aimed at automating developer activities.
-
GitHub just launched a new free tier for its Copilot coding assistant – but only for a select group of developersNews Limited access to GitHub Copilot in VS Code is now available free of charge
-
Are ‘ghost engineers’ stunting productivity in software development? Researchers claim nearly 10% of engineers do "virtually nothing" and are a drain on enterprisesNews The study used an algorithm to assess the amount of work being done by software engineers at hundreds of firms
-
GitHub says Copilot improves code quality – but are AI coding tools actually producing results for developers?News Questions over the true impact AI coding tools continue to linger
-
Python just brushed past JavaScript to become the most popular programming language on GitHub – and a key factor is that AI developers love itNews The meteoric rise of Python shows no sign of stopping
-
“There is no one model to rule every scenario”: GitHub will now let developers use AI models from Anthropic, Google, and OpenAI
News Devs will be given access to a broader array of AI models on GitHub – but there's more in store for users
-
Not all software developers are sold on AI coding tools – while productivity gains are welcomed, over a third are concerned about AI-generated code qualityNews Many software developers have concerns over the quality and security of AI-generated code despite marked productivity boosts
