GitHub launches code scanning autofix for advanced security customers
GitHub has announced the public beta availability of its code scanning autofix for all GitHub Advanced Security (GHAS) customers. This auto-fixing feature, powered by GitHub Copilot and CodeQL, is designed to address vulnerabilities in code as they are identified, significantly reducing remediation time and effort.
The new feature covers more than 90% of alert types in JavaScript, Typescript, Java, and Python. Furthermore, it is capable of remediating over two-thirds of discovered vulnerabilities with minimal or zero editing, offering an intuitive and more efficient coding experience for developers.
Eric Tooley, Senior Product Marketing Manager at GitHub, alleges that the new auto-fix feature brings them closer to realising their vision for application security, where "found means fixed." He stated: "By prioritising the developer experience in GitHub Advanced Security, we are already helping teams remediate 7x faster than traditional security tools. Code scanning autofix is the next leap forward, helping developers dramatically reduce time and effort spent on remediation."
The majority of organisations admit to an ever-growing number of unremediated vulnerabilities within their production repositories. Tooley stresses that code scanning auto-fix addresses this issue, enabling developers to eliminate vulnerabilities as they code and easing the growth of the so-called 'application security debt'.
Similar to how GitHub Copilot alleviates developers from tedious and repetitive tasks, the code scanning auto fix will assist development teams in reclaiming vital time previously expended on remediation. This feature also promises a decreased volume of common vulnerabilities, allowing security teams to concentrate on business-focused protection strategies while maintaining pace with rapid development.
When a vulnerability is found in a supported coding language, the fix suggestions will include a natural language explanation of the recommended solution alongside a preview of the code suggestion. The developer can accept, edit, or dismiss these suggestions, which can entail changes to the current file and multiple others, as well as the incorporation of necessary dependencies into the project.
GitHub plans to extend support to more programming languages, with C# and Go slated as the next additions. This expansion demonstrates GitHub's commitment to shifting application security towards an environment where vulnerabilities, once identified, are remediated promptly, streamlining the developer's experience and increasing efficiency.
For the uninitiated, code scanning auto-fix leverages the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Developers are encouraged to join the auto-fix feedback and resources discussion to share their experiences and contribute to further enhancements to the auto-fix experience.