March twenty first, 2024: GitHub has launched a brand new feature called code scanning autofix, which is now available in public beta for all GitHub Advanced Security customers.
The feature, powered by GitHub Copilot and CodeQL, goals to assist developers fix vulnerabilities more quickly and simply, reducing the growing problem of “application security debt.”
Code scanning autofix supports greater than 90% of alert types in popular programming languages reminiscent of JavaScript, TypeScript, Java, and Python.
When a vulnerability is discovered in one in all these languages, the feature provides developers with a natural language explanation of the suggested fix, together with a preview of the code suggestion.
Developers can then accept, edit, or dismiss the suggestion. Remarkably, these code suggestions have been shown to remediate greater than two-thirds of found vulnerabilities with little or no editing required.
Pierre Tempel and Eric Tooley, authors of the blog post announcing the feature, state that code scanning autofix is “the subsequent step forward” in GitHub’s vision for application security, where “found means fixed.”
Code Scanning Autofix
By prioritizing the developer experience, the corporate goals to assist teams remediate vulnerabilities as much as seven times faster than traditional security tools.
Behind the scenes, code scanning autofix leverages the CodeQL engine and a mix of heuristics and GitHub Copilot APIs to generate code suggestions.
These suggestions can include changes to multiple files and the dependencies that ought to be added to the project.
GitHub plans to proceed adding support for more languages, with C# and Go coming next.
The company encourages users to hitch the autofix feedback and resources discussion to share their experiences and help guide further improvements to the feature.
The introduction of code scanning autofix is predicted to learn each development and security teams.
Developers will give you the option to reclaim time previously spent on remediation, while security teams can give attention to protecting the business and maintaining with the accelerated pace of development, as the quantity of on a regular basis vulnerabilities is reduced.
