GitHub Taps AI To Eradicate Software Vulnerabilities With Copilot-Powered Security Updates

GitHub, the world’s leading AI-powered developer platform, announced the general availability of AI-powered remediation with Copilot Autofix in GitHub Advanced Security (GHAS).

Copilot Autofix analyses vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found. During the public beta, GitHub found that developers were fixing code vulnerabilities more than three times faster than those who do so manually, a powerful example of how AI agents can radically simplify and accelerate secure software development.

Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities.

“Code scanning tools detect vulnerabilities, but they don’t address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn’t the problem. Fixing them is,” said Mike Hanely, CSO and SVP of Engineering at GitHub. “With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed,” Hanely added.

Since its introduction in public beta in March 2024, developers have used Copilot Autofix in their pull requests to help them quickly fix vulnerabilities in new code before they get merged to production where they can impact customers. Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.

Based on customer data from public beta between May through July 2024, Copilot Autofix has already shown dramatic reductions in the amount of time between detection and successful remediation:

• 3x faster. Overall, the median time for developers to use Copilot Autofix to automatically commit the fix for a pull request-time alert was 28 minutes, compared to 1.5 hours to resolve the same alerts manually.
• 7x faster. Cross-site scripting vulnerabilities: 22 minutes, compared to almost three hours.
• 12x faster. SQL injection vulnerabilities: 18 minutes, compared to 3.7 hours.

Early users of Copilot Autofix have also reported dramatic improvements in efficiency and productivity.

“Since implementing Copilot Autofix, we’ve observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity,” says Kevin Cooper, principal engineer at Optum. “In the healthcare space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation.”

Just as GitHub Copilot helps developers code more quickly, Copilot Autofix accelerates the pace of remediation so security teams make real progress with the backlog of existing vulnerabilities, commonly known as security debt.

When a developer is asked to fix vulnerabilities in code that they haven’t seen in a while or aren’t familiar with, it can take hours to assess the surrounding code and experiment with manual fixes. Copilot Autofix dramatically reduces this burden so developers can fix old vulnerabilities with more speed and confidence.

Here’s how it works. To initiate Copilot Autofix for vulnerabilities in existing code, a developer simply presses the “Generate fix” button on an alert in the GHAS code scanning alert. Copilot Autofix assesses the code and the vulnerability and returns an explanation and code suggestion for review. The developer can then press the “Create PR with fix” button to create a new pull request which includes code changes to fix the alert. With Copilot Autofix, teams can pay down years’ worth of security debt–even those hard-to-prioritise low- and moderate-severity alerts–in just a matter of a few clicks.

Behind the scenes, Copilot Autofix leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix builds an LLM prompt based on sources including CodeQL analysis and short snippets of code around the flow path.

As the global home of the open-source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open-source software is safer and more reliable for everyone. GitHub believes that it’s highly important to be both a responsible consumer of open source software and a contributor back to it, which is why open source maintainers can already take advantage of GitHub’s code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, GitHub will add Copilot Autofix in pull requests to this list and offer it for free to all open-source projects.

From GitHub Copilot Workspace to GHAS, GitHub is championing a future where AI doesn’t just assist but helps transform businesses, from productivity and innovation to security and risk reduction. Within GHAS, GitHub is leveraging AI not only to help fix vulnerabilities in code, but also to improve the scope and accuracy of secret scanning, and with new workflows that scale Copilot Autofix for organisations with a high volume of security debt, all on the familiar platform that developers already know and love.