GitHub is introducing a new code scanning automatic repair tool that can search for vulnerabilities in software code in a bid to help developers and increase productivity.
The new feature will be available starting today in public beta for all GitHub Advanced Security customers, the company confirmed.
Powered by GitHub Copilot and CodeQL, the tool covers more than 90% of alert types in the JavaScript, Typescript, Java, and Python programming languages, and can offer code suggestions that fix vulnerabilities “with little or no editing.”
CodeQL is the semantic code analysis engine developed by GitHub to automate security checks and treats code as data, allowing developers to find potential vulnerabilities in code with greater confidence than traditional static analyzers.
Code security scanning tools help identify vulnerabilities in code, but fixing them involves triaging alerts and checking documentation before fixing them, all of which can take more time.
GitHub said the code scan auto-repair tool provides developers with an explanation of the issue and code suggestions to fix it directly in the pull request.
You can explain what feature is causing the failure, such as 'the response provided by the user is used directly in the HTTP response without any sanitization' and then provide a detailed answer as to why that is a problem.
The tool can then suggest a solution, offering a preview of the code suggestion that the developer can accept, edit, or discard.
Code suggestions can include changes to multiple files and dependencies that need to be added to the project, the firm said. Code Scan Automated Heal uses the CodeQL engine and a combination of heuristics and GitHub Copilot APIs to generate these suggestions.
GitHub: “Automatic code scanning repair is the next step forward” for developers
GitHub said its GitHub Advanced Security offering helps teams fix issues seven times faster than traditional security tools.
“Automated code scanning remediation is the next step forward, helping developers dramatically reduce the time and effort spent on remediation,” the firm said.
Most organizations support an “increasing” number of vulnerabilities that exist in production repositories, he added. With the release of the new tool, GitHub said developers will be able to directly address “security debt” and make it easier to fix vulnerabilities as they code.
“Just as GitHub Copilot frees developers from tedious and repetitive tasks, automated code scanning remediation will help development teams recapture time previously spent on remediation.”
The company further noted that security teams will also benefit from a reduced volume of everyday vulnerabilities.
What's next for automatic code scan repair?
GitHub said it plans to add support for more programming languages, with C# and Go “coming up next.”
GitHub Copilot has been one of the most prominent examples of the rise of generative AI, offering code suggestions to make developers more productive (even if such tools could lead to more “software abandonment”). More than 50,000 companies use GitHub Copilot.
Last month, GitHub Copilot Enterprise, aimed at developers at large organizations, reached general availability. The enterprise tier includes chat tools customized to a company's own codebase, plus documentation search and pull request summaries.