Sponsored by

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Stay up-to-date with AI.

The Rundown is the world’s fastest-growing AI newsletter, with over 500,000+ readers staying up-to-date with the latest AI news and learning how to apply it.

Our research team spends all day learning what’s new in AI, then distills the most important developments into one free email every morning.

Sign up with one click.

GitHub Launches New AI Auto-Fix Tool

GitHub unveiled a new feature, code scanning autofix, now in public beta for all Advanced Security customers. This initiative aims to offer targeted recommendations, powered by GitHub Copilot and CodeQL, to prevent the introduction of new security vulnerabilities.

Pierre Tempel and Eric Tooley from GitHub explained that code scanning autofix utilizes CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions. Currently covering over 90% of alert types in JavaScript, Typescript, Java, and Python, it provides remedies for more than two-thirds of detected vulnerabilities with minimal editing required.

Originally previewed in November 2023, this feature plans to expand its support to include additional programming languages such as C# and Go in the future.

Designed to assist developers in addressing vulnerabilities during the coding process, code scanning autofix generates potential fixes and offers natural language explanations for detected issues. These suggestions may extend beyond the current file, encompassing modifications to multiple files and dependencies necessary to resolve the issue.

GitHub stated, "Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer." This approach shifts the focus from searching for vulnerability information to providing concrete solutions tailored to the codebase.

However, it remains the developer's responsibility to evaluate the recommendations, ensuring they align with the intended behavior of the code and do not introduce new vulnerabilities. GitHub emphasized the current limitations of autofix suggestions, urging developers to carefully review changes and dependencies before acceptance:

• Fixes may not always be syntactically correct or may be suggested in the wrong location.

• Fixes may alter the semantics of the program or fail to address the root cause adequately.

• Some suggestions may only partially resolve the underlying flaw or introduce unsupported or insecure dependencies.

• Arbitrary dependencies may be recommended, potentially leading to supply chain attacks.

GitHub acknowledged that the system's knowledge of dependencies within the wider ecosystem is incomplete, which may result in suggestions that inadvertently introduce malicious software dependencies. Vigilance and thorough review are essential to mitigate these risks during development.