The big picture: Software development moves at breakneck speed these days, with developers constantly releasing new features. However, despite their best efforts, security vulnerabilities still manage to slip into production code, remaining one of the leading causes of breaches. While scanning tools can detect these flaws, actually fixing them requires specialized security expertise and significant time. In other words, the challenge isn't always identifying vulnerabilities; it's remediating them quickly.
GitHub aims to assist with its newly available Copilot Autofix tool. Now integrated into GitHub Advanced Security, this AI-powered feature is designed to help developers address code bugs more quickly.
Copilot Autofix analyzes security defects detected in pull requests and provides explanations along with suggested fixes. Developers can then choose to dismiss, adjust, or commit the AI-generated suggestions with just a few clicks.
The tool addresses a wide range of vulnerability classes, including SQL injection and cross-site scripting (XSS) flaws. It helps eliminate both newly introduced issues and tackles the backlog of existing security debt. Addressing these vulnerabilities in a timely manner can significantly reduce the risk of costly security breaches.
During its public beta phase earlier this year, GitHub found that developers were resolving vulnerabilities over three times faster with Copilot Autofix compared to manual remediation.
The time savings were even more impressive for specific flaw types. For example, XSS bugs, which typically took an average of three hours to fix manually, were reduced to just 22 minutes with Autofix. Similarly, SQL injection flaws saw remediation times drop from 3.7 hours to an average of 18 minutes. Early adopters are already experiencing significant benefits from using the tool.
Kevin Cooper, principal engineer at Optum, said, "Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity."
To get Copilot Autofix working on existing code, developers simply click the "Generate fix" button on a GitHub code scanning alert. Then, with another click on "Create PR with fix," all necessary changes are bundled into a new pull request.
Under the hood, the tool combines heuristics, GitHub's Copilot AI, the CodeQL analysis engine, and GPT-4 to generate intelligent fix suggestions.
This feature aligns with Microsoft-owned GitHub's commitment to fostering a safer open-source ecosystem. Starting next month, Copilot Autofix will be available for free to all open-source projects hosted on the platform.