The new feature uses the CodeQL engine to find vulnerabilities in code before it has been executed. CodeQL was made publicly available in late 2019 after GitHub acquired code analysis startup Semmle. GitHub also uses a combination of heuristics and GitHub Copilot APIs to suggest fixes, and generates these fixes and their explanations using OpenAI’s GPT-4 model. However, the company has noted that a small percentage of suggested fixes may reflect a significant misunderstanding of the codebase or the vulnerability.
Key takeaways:
- GitHub has launched the first beta of its code scanning autofix feature, which finds and fixes security vulnerabilities during the coding process.
- This new feature combines the real-time capabilities of GitHub’s Copilot with CodeQL, the company’s semantic code analysis engine.
- GitHub promises that this new system can remediate more than two-thirds of the vulnerabilities it finds and will cover more than 90% of alert types in the languages it supports, which are currently JavaScript, Typescript, Java, and Python.
- This new feature is now available for all GitHub Advanced Security (GHAS) customers and uses OpenAI’s GPT-4 model to generate the fixes and their explanations.