GitHub wants to stamp out software vulnerabilities once and for all: Copilot Autofix helps developers fix flaws three-times faster than manually
The platform's new AI-powered tool, Copilot Autofix, promises to speed up the time it takes to secure code


GitHub is set on eliminating insecure code with its new offering, Copilot Autofix, a tool designed to automate dealing with software vulnerabilities.
Using AI, Autofix analyzes vulnerabilities in code, describes the importance of said vulnerabilities, and then presents users with suggestions to help developers fix each issue as it arises.
GitHub found that developers were able to fix software vulnerabilities at more than three-times the speed of those attempting to fix issues manually when they trialed the platform as part of a public beta.
Fixes for cross-site scripting vulnerabilities were seven times faster, taking 22 minutes with Autofix compared to nearly three (2.8) hours manually. For SQL injection vulnerabilities, fixes were 12 times faster at 18 minutes compared to 3.7 hours.
The firm described the tool as “a powerful example of how AI agents can radically simplify and accelerate secure software development.”
"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity," said Kevin Cooper, principal engineer at Optum.
During the beta, which began in March 2024, Developers used Autofix in their pull requests to help them rapidly and efficiently fix issues in new code before it was fed to production and risked interaction with end users.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Autofix can generate fixes for “dozens of classes of code vulnerabilities”, like SQL injection or cross-site scripting. Developers can choose what to do with fixes in their pull requests and can decide whether they want to dismiss, edit, or commit them.
How to use GitHub’s Copilot Autofix
To use the tool, users need to press the “Generate fix” button in the GitHub Advanced Security (GHAS) code-scanning alert. Thereafter, Copilot Autofix sets about analyzing the code for vulnerabilities.
RELATED WHITEPAPER
Once a code solution is returned, the developer can press “create PR with fix” to create a new pull request that includes the relevant code fixes, allowing teams to “pay down years’ worth of security debt … in just a matter of a few clicks.”
"Copilot Autofix takes care of cumbersome security tasks, ensuring our existing and new code is always as secure as possible,” Mario Landgraf, Community Manager, Security at Otto, said.
“Vulnerabilities are flagged immediately and code changes are recommended automatically. It helps our teams to free up time so they can focus on more strategic initiatives,” he added.

George Fitzmaurice is a former Staff Writer at ITPro and ChannelPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.
-
Asus ZenScreen Fold OLED MQ17QH review
Reviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
By Sasha Muller
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto Networks
Case study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
By Rory Bathgate
-
Turns out AI isn't that popular at work – just 4% of workers use the technology in the majority of daily tasks, but developers are among the top early adopters
News Research from Anthropic shows that while AI adoption is sluggish in most professions, software developers and writers are very keen.
By Nicole Kobie
-
GitHub's new 'Agent Mode' feature lets AI take the reins for developers
News GitHub has unveiled the launch of 'Agent Mode' - a new agentic AI feature aimed at automating developer activities.
By Ross Kelly
-
GitHub just launched a new free tier for its Copilot coding assistant – but only for a select group of developers
News Limited access to GitHub Copilot in VS Code is now available free of charge
By Nicole Kobie
-
Are ‘ghost engineers’ stunting productivity in software development? Researchers claim nearly 10% of engineers do "virtually nothing" and are a drain on enterprises
News The study used an algorithm to assess the amount of work being done by software engineers at hundreds of firms
By George Fitzmaurice
-
GitHub says Copilot improves code quality – but are AI coding tools actually producing results for developers?
News Questions over the true impact AI coding tools continue to linger
By Solomon Klappholz
-
Python just brushed past JavaScript to become the most popular programming language on GitHub – and a key factor is that AI developers love it
News The meteoric rise of Python shows no sign of stopping
By Nicole Kobie
-
“There is no one model to rule every scenario”: GitHub will now let developers use AI models from Anthropic, Google, and OpenAI
News Devs will be given access to a broader array of AI models on GitHub – but there's more in store for users
By Emma Woollacott
-
Not all software developers are sold on AI coding tools – while productivity gains are welcomed, over a third are concerned about AI-generated code quality
News Many software developers have concerns over the quality and security of AI-generated code despite marked productivity boosts
By George Fitzmaurice