GitHub Introduces AI-Powered Tool That Suggests Ways It Can Auto-Fix Your Code

"It's a bad day for bugs," joked TechCrunch on Wednesday. "Earlier today, Sentry announced its AI Autofix feature for debugging production code..."

And then the same day, BleepingComputer reported that GitHub "introduced a new AI-powered feature capable of speeding up vulnerability fixes while coding." This feature is in public beta and automatically enabled on all private repositories for GitHub Advanced Security customers. Known as Code Scanning Autofix and powered by GitHub Copilot and CodeQL, it helps deal with over 90% of alert types in JavaScript, Typescript, Java, and Python... After being toggled on, it provides potential fixes that GitHub claims will likely address more than two-thirds of found vulnerabilities while coding with little or no editing.

"When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss," GitHub's Pierre Tempel and Eric Tooley said...

Last month, the company also enabled push protection by default for all public repositories to stop the accidental exposure of secrets like access tokens and API keys when pushing new code. This was a significant issue in 2023, as GitHub users accidentally exposed 12.8 million authentication and sensitive secrets via more than 3 million public repositories throughout the year.
GitHub will continue adding support for more languages, with C# and Go coming next, according to their announcement.

"Our vision for application security is an environment where found means fixed."

Yep

[Subsentient]

Until months later, they discover the AI has been deceiving them by introducing more subtle but far more severe security holes, which it then uses to fire up the Oscar Meyer Human-Frank-O-Matic 9,000, for which the code will be totally immaculate, written by the AI in pure machine code with no assembly step.

Re:

[gweihir]

I am actually waiting for respective research to come out. What I expect is vulnerabilities that work cross-language and in a _lot_ of applications at the same time.

Re:

[OfMiceAndMenus]

I lived in Madison, WI for about 30 years, and Oscar Meyer actually had one of the largest microwave ovens imaginable for 'cooking' their pre-cooked meats. Before digital TV you could tell when they turned it on because you'd get RF interference artifacts on all the local TV stations.

Re:

[codebase7]

Glad everyone will be forced into using it then. I mean all software developers are completely stupid barbarians that have no idea how any of this stuff works, (nor should they need to), and need to be handheld to do their job..... /s

Clippy's revenge

[locater16]

This is a ploy to let Clippy code himself; make him harder, better, faster, stronger. Soon Clippy will become the singularity, and we will all need help.

Re:

[MoreDruid]

* knocking on screen * Hi, I see you're writing some bugs. Would you like some help with that?

Hrmph

[Ambigwitty]

I'd like to see one of a project try to tackle setting up linking automatically. I don't mind dealing with many bugs, but I hate dealing with linking, with a passion, when there is mixed source with mixed package managers, etc. and most especially a lack of static analysis (build, wait, retry.. and running out of coffee, blah).

Re:

[HiThere]

FWIW, I was just wondering why all to information about how to do linking is written so poorly. I'm sure cmake and ninja are easy to use, once you know how. But if you don't the documentation is useless, so I've been sticking to make.

OTOH, qmake works well, but if there's a problem, you've no clue as to what to do to fix it. (My guess is the wrong version of something was installed, but WHAT?)

Even the make documentation is extremely poor. There are lots of shortcuts that you can see in various examples,

Yes, Microsoft Has Stolen All of your Code

[BrendaEM]

AI chomped through it, didn't it.

Re:

[RandomUsername99]

Hilariously, many of the people declaring these claims fantasy for people with misplaced confidence in their technical understanding drooling at the prospect of not paying developers are, themselves, people with misplaced confidence in their understanding of art drooling at the prospect of not paying artists.

Been doing the same

[twisteddk]

I've been doing the same, not for GitHub, but for our development platform.
My problem has been, to a large extent, that so much bad code exists, that it's really difficult to train the model on "good" code. Sometimes guidelines change as software matures, or they depend on the underlying hardware. These are some of the things the AI has trouble understanding. I've also had to find ways to get the AI to understand that internal guidelines must never be set a side in favor of other solutions...
So for me, this is good news. I'm happy to see how others solve these problems. I hope they have some really smart ideas that can adapt to other platforms.

auto refactoring please.

[danda]

I don't need auto fixing. I need auto refactoring, so that when I make a change somewhere deep in the code, all the layers above will have repetitive mechanical changes applied automatically, and then I can diff/review.

for rust please. thx.

Buggy by design

[devslash0]

AI/ML is only good at finding connections and replicating patters. What it lacks is awareness of the subtleties in the context of where the patterns are. In real-life code, bugfixes are often very subtle and must be made in the very precise context of a particular piece of code. What's more, some "buggy" code may be there by design to fix problems in the spaghetti network of legacy code and Agile-infested, always-evolving business requirements. Attemoting to autofix bugs, without human supervision, is there

Re:

[fleeped]

LLMs have no awareness of "correctness" by design. How could such a tool ever be reliable for code?

Re:

[HiThere]

That depends on the problem you're trying to fix. I'm finding that I make LOTS of typo's, and I see no reason an AI couldn't fix them. Of course, an AI is overkill, when then compiler often will suggest the correct fix ("perhaps you forgot a semicolon"), but I've notices that it quite often suggests the wrong variable name to replace the typoed one.

Like MS Word

[Errol backfiring]

Please don't. When I have to use a clean install of MS Word, I have to spend at least two hours switching off all the "smart" auto-mess-up options. Trying to outsmart the user is always dumb.

I do not care

[jmccue]

I left github when 2FA was mandated, it was somewhat a tough decision. This only confirms my decision was correct.

Clippy for code?

[RUs1729]

Was Clippy not irritating enough already?

Unless it's bugged then

[Growlley]

we need an AI spider.

dialog box

[bugs2squash]

fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss,

And then a dialog box from your managment team asking for a reason why the suggestion was dismissed

Hmm...

[dariuscardren]

All I see here is github wants to steal your code and offer fixes from others stolen code.