Developers are shipping software faster than previously imaginable, releasing new features early and often. Yet despite their best efforts to code securely, software vulnerabilities inadvertently make their way into production and continue to be a leading cause of breaches today. Compounding this, many developers find security requirements to be difficult to understand and implement, making it harder to achieve good security outcomes and resulting in more vulnerabilities escaping into the wild.
Code scanning tools detect vulnerabilities, but they don’t address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn’t the problem. Fixing them is.
That’s why today we’re announcing the general availability of AI-powered remediation with Copilot Autofix in GitHub Advanced Security (GHAS). Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found. During the public beta, we found that developers were fixing code vulnerabilities more than three times faster than those who do so manually, a powerful example of how AI agents can radically simplify and accelerate secure software development.
Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities.
Let’s jump in.
If you’re already a GHAS customer on GitHub Enterprise Cloud, Copilot Autofix is now included in your GHAS subscription. We’ve enabled Copilot Autofix for you by default in your GHAS code scanning settings. If you’re not a GHAS customer, you can find more info here or talk to your GitHub representative about a trial.
Keep new vulnerabilities out of code
Since its introduction in public beta in March 2024, developers have used Copilot Autofix in their pull requests to help them quickly fix vulnerabilities in new code before they get merged to production where they can impact customers. Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.
Based on customer data from our public beta between May through July 2024, Copilot Autofix has already shown dramatic reductions in the amount of time between detection and successful remediation:
- 3x faster. Overall, the median time for developers to use Copilot Autofix to automatically commit the fix for a pull request-time alert was 28 minutes, compared to 1.5 hours to resolve the same alerts manually.
- 7x faster. Cross-site scripting vulnerabilities: 22 minutes, compared to almost three hours.
- 12x faster. SQL injection vulnerabilities: 18 minutes, compared to 3.7 hours.
Early users of Copilot Autofix have also reported dramatic improvements in efficiency and productivity:
Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity. In the healthcare space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation.
Pay down your backlog of security debt
Just as GitHub Copilot helps developers code more quickly, Copilot Autofix accelerates the pace of remediation so security teams make real progress with the backlog of existing vulnerabilities, commonly known as security debt.
Vulnerabilities can live forever, and the longer they’ve remained dormant, the harder and more expensive they are to fix. When a developer is asked to fix vulnerabilities in code that they haven’t seen in a while or aren’t familiar with, it can take hours to assess the surrounding code and experiment with manual fixes. Copilot Autofix dramatically reduces this burden so developers can fix old vulnerabilities with more speed and confidence.
Here’s how it works. To initiate Copilot Autofix for vulnerabilities in existing code, simply press the “Generate fix” button on an alert in the GHAS code scanning alert. Copilot Autofix assesses the code and the vulnerability and returns an explanation and code suggestion for review. The developer can then press the “Create PR with fix” button to create a new pull request which includes code changes to fix the alert. With Copilot Autofix, teams can pay down years’ worth of security debt–even those hard-to-prioritize low- and moderate-severity alerts–in just a matter of a few clicks.
Copilot Autofix takes care of cumbersome security tasks, ensuring our existing and new code is always as secure as possible. Vulnerabilities are flagged immediately and code changes are recommended automatically. It helps our teams to free up time so they can focus on more strategic initiatives.
Copilot Autofix in action
For developers who aren’t necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code. “Copilot Autofix doesn’t just flag vulnerabilities; it explains why certain actions are necessary and how to implement them, making problem-solving more accessible,” says Cooper from Optum.
Behind the scenes, Copilot Autofix leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix builds an LLM prompt based on sources including CodeQL analysis and short snippets of code around the flow path.
If you’re already a GHAS customer on GitHub Enterprise Cloud, we’ve already enabled Copilot Autofix for you by default in your GHAS settings. If you’re not a GHAS customer, you can find more info here or talk to your GitHub representative. We’re on standby.
Securing open source
Copilot Autofix reduces the time and effort required to remediate vulnerabilities in private repositories, but what about vulnerabilities in open source? As we’ve seen with Log4j, a vulnerability anywhere can quickly become a vulnerability everywhere. As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it’s highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub’s code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we’re thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects.
Move fast and fix things
While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden. Experienced security talent is in short supply, but with Copilot Autofix at your side, every developer benefits from security expertise whenever they need it. Security becomes simply synonymous with software development.
And this is just the beginning. From GitHub Copilot Workspace to GHAS, we’re championing a future where AI doesn’t just assist but helps transform businesses, from productivity and innovation to security and risk reduction. Within GHAS, we’re leveraging AI not only to help fix vulnerabilities in code, but also to improve the scope and accuracy of secret scanning, and with new workflows that scale Copilot Autofix for organizations with a high volume of security debt, all on the familiar platform that developers already know and love.
With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.
Tags:
- GitHub Advanced Security
Written by
Mike Hanley
Mike Hanley is the Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.
When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and eight kids.
