5 months ago
19
Marking its 10th anniversary, GitHub Universe brings together several AI updates to GitHub Copilot. One of the features added is — Security campaigns and third-party tool integration with Copilot Autofix. Just as GitHub Copilot helps developers code more quickly, Copilot Autofix accelerates the pace of remediation so security teams make real progress with the backlog of existing vulnerabilities, commonly known as security debt.
This new feature supports integration with various third-party tools and security campaigns, enabling security teams and developers to address vulnerabilities at scale using their preferred tools. It fosters a collaborative environment where teams can seamlessly incorporate security measures into their existing workflows. By using familiar tools, this approach not only improves productivity but also helps maintain a consistent security posture across all projects, making it easier to manage as they arise.
Since its introduction in public beta in March 2024, developers have used Copilot Autofix in their pull requests to help them quickly fix vulnerabilities in new code before they get merged to production where they can impact customers.
Copilot Autofix was also planned to be available for all open-source projects. As the feature uses the CodeQL engine, Copilot APIs, and GPT-4o, it could be a highly valuable asset for various tech enterprises.
From Detection to Resolution
Just as Copilot helps developers code more quickly, Copilot Autofix accelerates the pace of remediation so security teams make real progress with the backlog of existing vulnerabilities, commonly known as security debt.
Vulnerabilities can linger indefinitely, becoming harder and costlier to fix over time. Copilot Autofix streamlines this process, helping developers quickly and confidently resolve issues in unfamiliar or outdated code.
Here’s how it works.
Copilot Autofix in action
Behind the scenes, Copilot Autofix utilises the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix builds an LLM prompt based on sources including CodeQL analysis and short snippets of code around the flow path.
Closing the Loop on Vulnerabilities
Developers are now deploying software at an unprecedented pace, frequently rolling out new features. However, despite their commitment to secure coding, vulnerabilities still find their way into production, remaining a major cause of breaches. This challenge is intensified by the complexity of security requirements, which many developers struggle to grasp and apply effectively.
As a result, achieving robust security remains difficult, leading to more vulnerabilities being released into the open.
Code scanning tools identify vulnerabilities but don’t solve the core issue: fixing them requires specialised security knowledge and time—both of which are scarce. The challenge isn’t finding vulnerabilities, but resolving them.
However, during the public beta, developers were able to fix code vulnerabilities over three times faster compared to manual efforts, demonstrating how AI agents can significantly streamline and accelerate secure software development.
Reducing the Developer Burden
As developers remain responsible for software security, we believe that with Copilot Autofix at your side, every developer benefits from security expertise whenever they need it and security becomes simply synonymous with software development.
And this is just the beginning.
