GitHub wants to stamp out software vulnerabilities once and for all: Copilot Autofix helps developers fix flaws three-times faster than manually

GitHub is set on eliminating insecure code with its new offering, Copilot Autofix, a tool designed to automate dealing with software vulnerabilities. 

Using AI, Autofix analyzes vulnerabilities in code, describes the importance of said vulnerabilities, and then presents users with suggestions to help developers fix each issue as it arises. 

GitHub found that developers were able to fix software vulnerabilities at more than three-times the speed of those attempting to fix issues manually when they trialed the platform as part of a public beta.  

Fixes for cross-site scripting vulnerabilities were seven times faster, taking 22 minutes with Autofix compared to nearly three (2.8) hours manually. For SQL injection vulnerabilities, fixes were 12 times faster at 18 minutes compared to 3.7 hours. 

The firm described the tool as “a powerful example of how AI agents can radically simplify and accelerate secure software development.”

"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity," said Kevin Cooper, principal engineer at Optum. 

During the beta, which began in March 2024, Developers used Autofix in their pull requests to help them rapidly and efficiently fix issues in new code before it was fed to production and risked interaction with end users. 

Autofix can generate fixes for “dozens of classes of code vulnerabilities”, like SQL injection or cross-site scripting. Developers can choose what to do with fixes in their pull requests and can decide whether they want to dismiss, edit, or commit them.

How to use GitHub’s Copilot Autofix

To use the tool, users need to press the “Generate fix” button in the GitHub Advanced Security (GHAS) code-scanning alert. Thereafter, Copilot Autofix sets about analyzing the code for vulnerabilities. 

Once a code solution is returned, the developer can press “create PR with fix” to create a new pull request that includes the relevant code fixes, allowing teams to “pay down years’ worth of security debt … in just a matter of a few clicks.”

"Copilot Autofix takes care of cumbersome security tasks, ensuring our existing and new code is always as secure as possible,” Mario Landgraf, Community Manager, Security at Otto, said. 

“Vulnerabilities are flagged immediately and code changes are recommended automatically. It helps our teams to free up time so they can focus on more strategic initiatives,” he added.