AI-powered developer platform GitHub has announced the general release of AI-powered remediation with Copilot Autofix in GitHub Advanced Security (GHAS). With Copilot Autofix, developers and security teams can keep new vulnerabilities out of code and confidently remediate their backlog security debt.
After analysing code vulnerabilities, Copilot Autofix explains why they matter and offers code suggestions that help developers fix vulnerabilities as fast as they are found. During the public beta, GitHub found that developers were fixing code vulnerabilities more than three times faster than those who do so manually, a powerful example of how AI agents can radically simplify and accelerate secure software development. Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now, also pay down the backlog of security debt by generating fixes for existing vulnerabilities.
“Code scanning tools detect vulnerabilities, but they don’t address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply,” said GitHub CSO and SVP of Engineering at Mike Hanely. In other words, finding vulnerabilities isn’t the problem, fixing them is. With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.”
Since its introduction in public beta in March 2024, developers have used Copilot Autofix in their pull requests to help them quickly fix vulnerabilities in new code before they get merged to production where they can impact customers. Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.
Based on customer data from public beta between May and July 2024, Copilot Autofix has already shown dramatic reductions in the amount of time between detection and successful remediation:
-
3x faster: Overall, the median time for developers to use Copilot Autofix to automatically commit the fix for a pull request-time alert was 28 minutes, compared to 1.5 hours to resolve the same alerts manually.
-
7x faster: Cross-site scripting vulnerabilities: 22 minutes, compared to almost three hours.
-
12x faster: SQL injection vulnerabilities: 18 minutes, compared to 3.7 hours.
Early users of Copilot Autofix have also reported dramatic improvements in efficiency and productivity.
While GitHub Copilot helps developers code more quickly, Copilot Autofix accelerates the pace of remediation, so security teams make real progress with the backlog of existing vulnerabilities, commonly known as security debt.
When a developer is asked to fix vulnerabilities in code that they haven’t seen in a while or aren’t familiar with, it can take hours to assess the surrounding code and experiment with manual fixes. Copilot Autofix dramatically reduces this burden so developers can fix old vulnerabilities with more speed and confidence.
To initiate Copilot Autofix for vulnerabilities in existing code, a developer simply presses the Generate fix button on an alert in the GHAS code scanning alert. Copilot Autofix assesses the code and the vulnerability and returns an explanation and code suggestion for review. The developer can then press the Create PR with fix button to create a new pull request which includes code changes to fix the alert. With Copilot Autofix, teams can pay down years’ worth of security debt–even those hard-to-prioritise low- and moderate-severity alerts–in just a matter of a few clicks.
Behind the scenes, Copilot Autofix leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix builds an LLM prompt based on sources, including CodeQL analysis and short snippets of code around the flow path.
As the global home of the open-source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open-source software is safer and more reliable for everyone. GitHub believes that it’s important to be both a responsible consumer of open source software and contributor back to it, which is why open-source maintainers can already take advantage of GitHub’s code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, GitHub will add Copilot Autofix in pull requests to this list and offer it for free to all open source projects.
From GitHub Copilot Workspace to GHAS, GitHub is promoting a future where AI doesn’t just assist but helps transform businesses, from productivity and innovation to security and risk reduction. Within GHAS, GitHub is leveraging AI not only to help fix vulnerabilities in code but also to improve the scope and accuracy of secret scanning, and with new workflows that scale Copilot Autofix for organisations with a high volume of security debt, all on the familiar platform that developers already know and like.
