GitHub announced on Wednesday that it is making a feature called Code Scan Auto-Remediation available in public beta to all Advanced Security customers to provide targeted recommendations to avoid introducing new security issues.
“Powered by GitHub Copilot and CodeQL, code scanning auto-repair covers more than 90% of alert types in JavaScript, Typescript, Java, and Python and provides code suggestions to fix with little or no editing More than two-thirds of the vulnerabilities were discovered,” said GitHub’s Pierre Tempel and Eric Tooley.
First previewed in November 2023, this feature leverages a combination of CodeQL, Copilot API, and OpenAI GPT-4 to generate code suggestions. The Microsoft subsidiary also said it plans to add support for more programming languages in the future, including C# and Go.
Code scanning auto-remediation is designed to help developers address vulnerabilities as they code by generating potential fixes and providing natural language explanations when issues are found in supported languages.
These suggestions may go beyond the scope of the current file and include changes to several other files as well as dependencies that should be added to correct the problem.
“Code scanning automated remediation lowers the barrier to entry for developers by combining best practice information with code base details and alerting them to suggest potential fixes,” the company said.
“Rather than searching for information about a vulnerability, developers start with a code suggestion that showcases potential solutions for their code base.”
That is, developers need to evaluate the proposal and determine if it is the right solution and ensure that it does not deviate from its intended behavior.
GitHub also highlighted the current limitations of automatic code fix suggestions, so developers must carefully review changes and dependencies before accepting them –
- Recommend fixing syntactically incorrect code changes
- Suggest fixing syntactically correct but incorrectly placed code
- Suggest fixes that are syntactically valid but change the semantics of the program
- Recommend fixes for issues that do not resolve the root cause or introduce new vulnerabilities
- Recommended fixes that only partially address the underlying flaw
- Suggest unsupported or unsafe dependencies
- Propose arbitrary dependencies, leading to possible supply chain attacks
“The system has an incomplete understanding of dependencies released in the broader ecosystem,” the company noted. “This may lead to recommendations for adding new dependencies to malware released by attackers under statistically likely dependency names. item.”
