GitHub rolls out AI-powered Autofix Copilot to catch and fix vulnerabilities in code
In a "move fast and break things" world, Microsoft Corp.'s GitHub today announced the launch of a new way, using artificial intelligence, to move fast while fixing problems during software development before they become bigger issues down the line.
The company said Autofix Copilot, an AI-powered vulnerability remediation tool in GitHub Advanced Security, is now generally available. Originally introduced in public beta test in March, the tool uses advanced generative AI during pull requests to detect vulnerabilities in new code and offers solutions to fix problems before they're pushed into production.
"Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply," said Mike Hanley, chief security officer and senior vice president of engineering at GitHub. "In other words, finding vulnerabilities isn't the problem. Fixing them is."
Autofix works similarly to the company's AI-powered co-assistance tool Copilot, which helps developers generate software quickly. The tool operates alongside software developers like a security expert partner that can scan through existing code, detect vulnerabilities and provide on-point explanations as to why a piece of code is problematic, alongside a fix that will resolve the problem.
According to GitHub, based on customer data during the beta release of the product between May and July, customers saw excellent results in reducing the time needed to detect issues and fix them. The company said that overall, the median time to automatically commit a fix from pull-request alerts became three times faster with Autofix at 28 minutes, compared with 1.5 hours when done manually.
Specific vulnerabilities such as cross-site scripting saw fixes happen even faster, the company claimed: 22 minutes using Copilot, compared with 2.8 hours manually, and 18 minutes using the AI-tool, compared with 3.7 hours for SQL injection.
"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity," said Kevin Cooper, principal engineer at American healthcare technology provider Optum Inc. "In the healthcare space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation."
The ideal importance of Autofix is that it doesn't just provide meaningful fixes and remediation for vulnerabilities in scanned code as developers go about their everyday work, Hanley said. Developers who aren't necessarily security experts can rely on it to explain why its recommendation is necessary and how to implement the fix properly. That makes the AI tool not just a simple scanning device that's part of developers' arsenal in cybersecurity, but a way to upgrade their security awareness overall.
Under the hood, Autofix uses a specialized code scanning engine called CodeQL in combination with OpenAI's flagship AI model GPT-4o to generate code fix suggestions. It can work with large swaths of internal private enterprise codebases provided by users and open-source code libraries.
"As the global home of the open-source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open-source software is safer and more reliable for everyone," said Hanley.