It's a foul day for bugs. Sentry today announced its AI Autofix feature for debugging production code and now, a number of hours later, GitHub is launching the primary beta of its Autofix feature for code scanning to seek out and fix security vulnerabilities through the coding process. This recent feature combines the real-time capabilities of GitHub's Copilot CodeQL, the corporate's semantic code evaluation engine. The company first introduced this feature last November.
GitHub guarantees that this recent system can fix greater than two-thirds of the vulnerabilities found – often without the developers having to edit any code themselves. The company also guarantees that the code scan autofix feature covers greater than 90% of alert types within the supported languages, currently JavaScript, Typescript, Java and Python.
This recent feature is now available to everyone GitHub Advanced security (GHAS) customers.
“Just like GitHub Copilot relieves developers of tedious and repetitive tasks, automatic remediation of code scanning will help development teams regain the time previously spent on remediation,” writes GitHub in today’s announcement. “Security teams also profit from a reduced volume of on a regular basis vulnerabilities, allowing them to deal with strategies to guard the business while maintaining with the accelerated pace of development.”
In the background, this recent function uses the CodeQL engine, GitHub's semantic evaluation engine to seek out vulnerabilities in code before it has even been executed. The company made a primary generation of CodeQL available to the general public in late 2019 after acquiring code evaluation startup Semmle, where CodeQL was founded. Numerous improvements have been made to CodeQL through the years, but one thing has never modified: CodeQL was only available without spending a dime to researchers and open source developers.
Now CodeQL is the main target of this recent tool, although GitHub also notes that it uses “a mixture of heuristics and.” GitHub Copilot APIs” to suggest fixes. To to generate For the fixes and their explanations, GitHub uses OpenAI's GPT-4 model. And while GitHub is outwardly confident enough to assume that the overwhelming majority of autofix suggestions will likely be correct, the corporate doesn’t anticipate that “a small percentage of proposed fixes will reflect a major misunderstanding of the codebase or vulnerability.”