'AI-Powered Remediation': GitHub Now Offers 'Copilot Autofix' Suggestions for Code Vulnerabilities (infoworld.com) 18
InfoWorld reports that Microsoft-owned GitHub "has unveiled Copilot Autofix, an AI-powered software vulnerability remediation service."
The feature became available Wednesday as part of the GitHub Advanced Security (or GHAS) service: "Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found," GitHub said in the announcement. GHAS customers on GitHub Enterprise Cloud already have Copilot Autofix included in their subscription. GitHub has enabled Copilot Autofix by default for these customers in their GHAS code scanning settings.
Beginning in September, Copilot Autofix will be offered for free in pull requests to open source projects.
During the public beta, which began in March, GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually, demonstrating how AI agents such as Copilot Autofix can radically simplify and accelerate software development.
"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews," says one principal engineer quoted in GitHub's announcement, "and a 25% increase in overall development productivity."
The announcement also notes that Copilot Autofix "leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs." Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn't the problem. Fixing them is...
Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities... Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.... For developers who aren't necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code...
As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it's highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub's code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we're thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects...
While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden.... With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.
The feature became available Wednesday as part of the GitHub Advanced Security (or GHAS) service: "Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found," GitHub said in the announcement. GHAS customers on GitHub Enterprise Cloud already have Copilot Autofix included in their subscription. GitHub has enabled Copilot Autofix by default for these customers in their GHAS code scanning settings.
Beginning in September, Copilot Autofix will be offered for free in pull requests to open source projects.
During the public beta, which began in March, GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually, demonstrating how AI agents such as Copilot Autofix can radically simplify and accelerate software development.
"Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews," says one principal engineer quoted in GitHub's announcement, "and a 25% increase in overall development productivity."
The announcement also notes that Copilot Autofix "leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs." Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn't the problem. Fixing them is...
Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities... Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.... For developers who aren't necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code...
As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it's highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub's code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we're thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects...
While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden.... With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.
talkative frontend (Score:2)
Re: (Score:2)
The title and TFS read like a bunch of non-sense mumbo jumbo to me anyway. Thanks for attempting to clarify.
BULLSHIT (Score:1)
Lameness filter encountered. Post aborted!
Filter error: Don't use so many caps. It's like YELLING.
On the flip side this will make lazier coders. (Score:3)
Re: (Score:2)
Lazier coders are totally fine.
But ignorant people convinced - now with help of ChatGPT - that they are right...
History of security bugs is really the endless reiteration of the good old adage, as per RFC1925:
Re:On the flip side this will make lazier coders. (Score:4, Insightful)
Unless you are an employer I don't see how this is a good thing for quality of product. I wonder if one of the first customers for this was CrowdStrike.
Something smells (Score:1)
Re: (Score:3)
You should probably look into the diapers as well, there's bullshit dribbling down your chin.
Re: (Score:2)
Are all scientists and engineers of the Internet lesbians and straight men? No. This post is pure sexism. Please do better in the future.
dog food (Score:2)
Maybe Github should try AI-Powered Remediation for better uptime.
https://developers.slashdot.or... [slashdot.org]
That will go well (Score:2)
First, there will be specific classes of security bugs that get overlooked. Attackers will learn to look for them for an even easier attack path. Second, the "fixes" will have specific problems and attackers will look for them as well. And third, the usual nil wit managers will hire even less competent coders, making the situation worse overall.
I hope they've checked the licenses! (Score:4, Interesting)
I would hope that the FSF and Lawrence Lessig will take a look at this as the automatic analysis and patching prior to redistribution on a massive automated scale is a new phenomenon with implications for the rights of project owners worldwide.
Open source licenses are funny beasts, there are many kinds in the wild and they can have all sorts of nonstandard stipulations which defy simplistic interpretations favoured by the likes of github and its owner. I am frankly shocked that the Microsoft lawyers are okay with this kind of thing, or maybe they weren't consulted?
Re: (Score:2)
> (which may well include the code of the generating AI, plus its complete training materials)
Huh? What paragraph of the GPL (any version) would require that? There's nothing that prevents you from editing open source code with proprietary IDEs. Yes, the fix itself is going to have to be GPL, but not the means of producing it. Your post, to the best of my GPL knowledge, is pure FUD. Please provide a citation to this claim -- if there is such a limitation in the GPL, I'd be very interested, but I don't se
After the remediation fix (Score:3)
remediate(code);}
You still can't trust it (Score:1)
There is, of course, a real answer here - have the AI find a suggestion, compile the code, and test it, before recommending it to you. Except if you think having a LLM sound human is tough, wait until you force it to guarantee its code fix will still compile...and it ends up compiling dozens or hundreds of options before offering you one of them that actually built.
So while for a bunch of easy problems, maybe you're okay. But otherwise, you just can't trust it.
Remember, Artificial Intelligence is trained
New attack vector! (Score:2)
2. Publish dubious patches to fool ai into determining it's the best fix
3. Wait for AI to compromise repos by auto-fixing.
4. World domination?