GitHub Unveils AI Tool to Detect Vulnerabilities in Code

GitHub has introduced a new AI-powered feature designed to speed up the process of fixing vulnerabilities during code development. Currently available as a public beta, this feature is automatically enabled for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

How Code Scanning Autofix Works

The new feature, called Code Scanning Autofix, is built on GitHub Copilot and CodeQL. According to the developers, it helps address 90% of security alerts in JavaScript, TypeScript, Java, and Python. In the coming months, GitHub plans to add support for more languages, including C# and Go.

Once enabled, Code Scanning Autofix suggests possible fixes that, according to GitHub, can resolve more than two-thirds of detected vulnerabilities with minimal manual editing required.

How Developers Benefit

“When a vulnerability is detected in a supported language, the suggested fix will include a natural language explanation and a preview of the proposed code, which the developer can accept, edit, or reject,” GitHub explains.

These suggestions and explanations may involve changes to the current file, multiple files, or even dependencies within the project. This approach is expected to significantly reduce the number of vulnerabilities that security professionals face daily, allowing them to focus on overall organizational security instead of spending extra resources on new issues that arise during development.

“Just as GitHub Copilot frees developers from tedious and repetitive tasks, Code Scanning Autofix will help teams reclaim time previously spent on fixing vulnerabilities,” the company says.

Important Considerations

GitHub emphasizes that developers should always carefully review vulnerability fixes, as the AI feature may sometimes suggest solutions that only partially address the issue or fail to maintain the necessary code functionality.