GitHub announced on Wednesday that it will make a feature called Code Scan AutoFix available in public beta to all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues.
“With GitHub Copilot and CodeQL, automatic code scan remediation covers more than 90% of warning types in JavaScript, Typescript, Java, and Python, and provides code suggestions that fix more than two-thirds of detected vulnerabilities with changes little to no,” said Pierre Tempel and Eric Tooley of GitHub.
The feature, first previewed in November 2023, leverages a combination of CodeQL, Copilot API, and OpenAI GPT-4 to generate code suggestions. The Microsoft-owned subsidiary also said it plans to add support for more programming languages, including C# and Go, in the future.
Code Scan AutoFix is designed to help developers address vulnerabilities while coding by generating potential fixes and providing a natural language explanation when an issue is detected in a supported language.
These suggestions may go beyond the current file and include changes to several other files and dependencies that should be added to correct the problem.
“The automatic code scan fix lowers the barrier of entry for developers by combining best practice information with code base details and alerts to suggest a potential fix to the developer,” the company said.
“Instead of starting with a search for vulnerability information, the developer starts with a code tip that demonstrates a potential fix for their code base.”
That said, it’s up to the developer to evaluate the recommendations and determine if it’s the right solution and ensure it doesn’t deviate from expected behavior.
GitHub also highlighted the current limitations of autocorrect code suggestions, making it imperative that developers carefully review changes and dependencies before accepting them –
- Suggest fixes that do not represent syntactically correct code changes
- Suggest fixes that are syntactically correct code but suggested in the wrong location
- Suggest corrections that are syntactically valid but which modify the semantics of the program
- Suggest solutions that fail to address the root cause or that introduce new vulnerabilities
- Suggest solutions that only partially address the underlying defect
- Suggest unsupported or unsafe dependencies
- Suggest arbitrary dependencies, leading to possible supply chain attacks
“The system has incomplete knowledge of published dependencies in the broader ecosystem,” the company noted. “This can lead to suggestions that add a new dependency to malicious software that attackers have published with a statistically probable dependency name.”