GitHub Launches AI-Powered Autofix Tool For Security Flaw Patching

GitHub Launches AI-Powered Autofix Tool

Published on March 21st, 2024

GitHub announced on Wednesday the launch of a new feature called code scanning autofix, now in public beta for all Advanced Security customers. The aim is to offer precise recommendations to prevent the introduction of new security vulnerabilities.

Pierre Tempel and Eric Tooley of GitHub shared, “This feature, powered by GitHub Copilot and CodeQL, addresses over 90% of alert types in JavaScript, Typescript, Java, and Python.

It provides code suggestions proven to resolve more than two-thirds of identified vulnerabilities with minimal or no manual editing required.”

Initially showcased in November 2023, this capability utilizes a blend of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions.

The subsidiary under Microsoft ownership also disclosed plans to expand its support to include additional programming languages such as C# and Go in the future.

The purpose of code scanning autofix is to assist developers in rectifying vulnerabilities during the coding process by offering potential fixes and explanations in natural language whenever a problem arises in a supported language.

You May Also Like: RisePro Info Stealer Spreading Through Hacked Software On GitHub

The recommendations may extend beyond the current file, encompassing changes required in several other files and the dependencies that need to be added to resolve the issue.

“By merging insights on coding best practices with specific details from the codebase and alerts, Code scanning autofix simplifies the developer’s path,” explained the company.

“Rather than beginning with a search for vulnerability information, developers are presented with a code suggestion showcasing a potential solution tailored to their codebase.”

However, it remains the developer’s responsibility to assess the suggestions, ensuring they align with the intended behavior of the code and determining if they are the appropriate solutions.

While GitHub’s autofix suggestions are helpful, it’s important to remember they have limitations. Developers should carefully review all changes and dependencies before accepting them, as the suggestions could:

  • Introduce incorrect code that won’t work (syntactic errors).
  • Fix code in the wrong place, missing the actual issue.
  • Change the program’s behavior unintentionally (semantic changes).
  • Fail to address the security vulnerability or introduce new ones.
  • Only partially fix the problem, leaving it vulnerable.
  • Recommend unsupported or insecure libraries.
  • Introduce unnecessary dependencies, potentially opening doors for supply chain attacks.

Since GitHub’s system can’t fully track all dependencies out there, there’s a chance its suggestions might include adding a harmful dependency.

Attackers can exploit this by disguising malicious software with common-sounding names. This means you should carefully check any dependency recommendations before adding them to your project.