Copilot Autofix：AI 解决代码漏洞问题的答案_AI阅读总结 — 包阅AI

GitHub this week made its Copilot Autofix advanced AI code scanning and remediation product generally available in GitHub Advanced Security (GHAS).

Copilot Autofix uses AI to find vulnerabilities in code, explain their importance and offer code suggestions to fix them, wrote Mike Hanley, chief security officer and senior vice president of engineering at GitHub, in a post on the company’s blog.

“Code scanning tools detect vulnerabilities, but they don’t address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply,” Hanley wrote in the post. “In other words, finding vulnerabilities isn’t the problem. Fixing them is.”

Copilot Autofix uses AI agents that are capable of making decisions, planning and adapting to new information in real time. In fact, during the public beta for the product, launched in March, Hanley wrote, GitHub learned that developers were fixing code vulnerabilities more than three times faster than those who do so manually.

Overcoming Longtime Struggles

Developers have long struggled with using Application Security Testing (AST) tools to find security vulnerabilities in application source code, David Vance, an analyst at Enterprise Strategy Group, told The New Stack. Legacy AST tools are notoriously slow and prone to false positives. With GitHub’s massive developer community, he said, it’s a natural fit for them to introduce application security features into their platform.

GitHub’s Copilot Autofix is the most recent example of the next wave of application security innovation that also helps reduce security tool friction for developers.

During the beta, developers used Copilot Autofix in their pull requests to quickly fix vulnerabilities in new code before they could get merged into production where they could impact customers.

“By allowing developers to identify security vulnerabilities in their source code as early as possible, it greatly reduces the time and effort required to remediate vulnerabilities after coding has been completed,” Vance said.

The median time for developers to use Copilot Autofix to automatically commit the fix for a pull request-time alert was 28 minutes, compared to 1.5 hours to resolve the same alerts manually, Hanley wrote in his blog post.

“Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit or commit in their pull request,” he wrote.

Indeed, Copilot Autofix was seven times faster finding and fixing cross-site scripting vulnerabilities — 22 minutes, compared to almost three hours. And it was 12 times faster finding and fixing SQL injection vulnerabilities — 18 minutes, compared to 3.7 hours, the company said.

“Since implementing Copilot Autofix, we’ve observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity,” said Kevin Cooper, a principal engineer at Optum, in a statement.

Moreover, “in the health care space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation,” Cooper added.

An ‘Intriguing Dichotomy’

“Securing code has always presented an intriguing dichotomy: the individuals responsible for remedying security vulnerabilities—software developers—often lack both the time and the training necessary for this task,” Janet Worthington, an analyst at Forrester Research, told The New Stack.

Static Application Security Testing (SAST) tools, which scan the codebase, provide remediation guidance to developers based on the security flaw and the programming language. However, the advice can be too generic or better suited for security professionals already familiar with security terminology, Worthington said.

Behind the scenes, Copilot Autofix leverages theCodeQLengine, GPT-4o, and acombination of heuristics and GitHub Copilot APIsto generate code suggestions, Hanley said.

“Security tools, such as GitHub’s CodeQL, areleveraging generative AI to alleviate the burden on software developers to fix security defects, while simultaneously reducing risk,” Worthington said.

With innovations like GitHub CopilotAutofix, developers are shown the security flaw alongside anauto-generatedfixspecific to their code, which the developer can then review and either accept or modify as needed. This not only boosts developer productivity but also improves the likelihood of the issue being effectively resolved.

“While this advancement marks significant progress in code security, it’s important to recognize that generative AI is not flawless,” Worthington said. “Anyfixprovided by an automated tool must be scrutinized with the same rigor as any other code change, undergoing both SAST,software composition analysis, and peer code reviews before being integrated into the main branch.”

How Copilot Autofix Works

To initiate Copilot Autofix for vulnerabilities in existing code, according to Hanley, simply press the “Generate fix” button on an alert in the GHAS code scanning alert. Copilot Autofix assesses the code and the vulnerability and returns an explanation and code suggestion for review. The developer can then press the “Create PR with fix” button to create a new pull request, which includes code changes to fix the alert.

“Copilot Autofix takes care of cumbersome security tasks, ensuring our existing and new code is always as secure as possible, said Mario Landgraf, community manager for security at Otto (GmbH & Co KG), in a statement. “Vulnerabilities are flagged immediately, and code changes are recommended automatically. It helps our teams to free up time, so they can focus on more strategic initiatives.”

Meanwhile, starting in September, GitHub will add Copilot Autofix in pull requests to the list of tools it offers for all open source projects. That list already includes GitHub’scode scanning,secret scanning,dependency management, andprivate vulnerability reportingtools at no cost.