On Wednesday, GitHub announced the general availability of Copilot Autofix, an AI-driven tool designed to identify and remediate software vulnerabilities.
Thank you for reading this post, don't forget to subscribe!Originally unveiled in March and tested in public beta, Copilot Autofix integrates GitHub’s CodeQL scanning engine with GPT-4, heuristics, and Copilot APIs to generate code suggestions for developers. The tool provides prompts based on CodeQL analysis and code snippets, allowing users to accept, edit, or reject the suggestions.
In a blog post, Mike Hanley, GitHub’s Chief Security Officer and Senior Vice President of Engineering, highlighted the challenges developers and security teams face in addressing existing vulnerabilities. “Code scanning tools can find vulnerabilities, but the real issue is remediation, which requires security expertise and time—both of which are in short supply,” Hanley noted. “The problem isn’t finding vulnerabilities; it’s fixing them.”
According to GitHub, the private beta of Copilot Autofix showed that users could respond to a CodeQL alert and automatically remediate a vulnerability in a pull request in just 28 minutes on average, compared to 90 minutes for manual remediation. The tool was even faster for common vulnerabilities like cross-site scripting, with remediation times averaging 22 minutes compared to three hours manually, and SQL injection flaws, which were fixed in 18 minutes on average versus almost four hours manually.
Hanley likened the efficiency of Copilot Autofix in fixing vulnerabilities to the speed at which GitHub Copilot, their generative AI coding assistant released in 2022, produces code for developers. However, there have been concerns that GitHub Copilot and similar AI coding assistants could replicate existing vulnerabilities in the codebases they help generate.
Industry analyst Katie Norton from IDC noted that while the replication of vulnerabilities is concerning, the rapid pace at which AI coding assistants generate new software could pose a more significant security issue. Chris Wysopal, CTO and co-founder of Veracode, echoed this concern, pointing out that faster coding speeds have led to more software being produced and a larger backlog of vulnerabilities for developers to manage.
Norton also emphasized that AI-powered tools like Copilot Autofix could help alleviate the burden on developers by reducing these backlogs and enabling them to fix vulnerabilities without needing to be security experts. Other vendors, including Mobb and Snyk, have also developed AI-powered autoremediation tools.
Initially supporting JavaScript, TypeScript, Java, and Python during its public beta, Copilot Autofix now also supports C#, C/C++, Go, Kotlin, Swift, and Ruby.
Hanley also highlighted that Copilot Autofix would benefit the open-source software community. GitHub has previously provided open-source maintainers with free access to enterprise security tools for code scanning, secret scanning, and dependency management. Starting in September, Copilot Autofix will also be made available for free to these maintainers.
“As the global home of the open-source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities, making open-source software safer and more reliable for everyone,” Hanley said.
Copilot Autofix is now available to all GitHub customers globally.