Found means fixed: Secure code more than three times faster with Copilot Autofix
[ad_1]
Developers are shipping software faster than previously imagined and are releasing new features early and often. But despite all efforts to program securely, software vulnerabilities are inadvertently making their way into production and are still one of the main causes of security breaches todayTo make matters worse, many developers have difficulty understanding and implementing security requirements. This makes it harder to achieve good security outcomes and leads to more vulnerabilities being disclosed to the public.
While code scanning tools can identify vulnerabilities, they do not solve the underlying problem: fixing them requires security expertise and time, two valuable resources that are currently in short supply. In other words, the problem is not finding vulnerabilities, but fixing them.
That’s why today we’re announcing the general availability of AI-powered remediation with Copilot Autofix in GitHub Advanced Security (GHAS). Copilot Autofix analyzes vulnerabilities in code, explains why they’re important, and offers code suggestions to help developers fix vulnerabilities as quickly as they’re found. During the public beta, we found that developers Fix code vulnerabilities more than three times faster than those who do it manually, a striking example of how AI agents can radically simplify and accelerate secure software development.
With Copilot Autofix in the pull request, developers can keep new vulnerabilities out of their code and now also reduce the backlog of security debt by generating fixes for existing vulnerabilities.
Let’s get started.
|
If you are already a GHAS customer on GitHub Enterprise Cloud, Copilot Autofix is now included in your GHAS subscription. We have enabled Copilot Autofix for you by default in your GHAS code scanning settings. If you are not a GHAS customer, you can find more information Here or talk to your GitHub representative about a trial. |
Keep new vulnerabilities out of the code
Since its introduction in public beta in March 2024Developers have used Copilot Autofix in their pull requests to quickly fix vulnerabilities in new code before it is deployed to production and can impact customers. For dozens of code vulnerability classes, such as SQL injection and cross-site scripting, fixes can be generated that developers can close, edit, or commit in their pull request.
Based on customer data from our public beta between May and July 2024, Copilot Autofix has already demonstrated a dramatic reduction in the time between detection and successful remediation:
- 3x fasterOverall, the average time it took developers to automatically commit a pull request alert fix using Copilot Autofix was 28 minutes, compared to 1.5 hours to manually resolve the same alerts.
- 7x faster. Cross-site scripting vulnerabilities: 22 minutes, compared to nearly three hours.
- 12x faster. SQL injection vulnerabilities: 18 minutes, compared to 3.7 hours.
Early users of Copilot Autofix also reported dramatic improvements in efficiency and productivity:
Pay off your security debt arrears
As well GitHub Copilot Copilot Autofix helps developers code faster and speeds up the remediation of these issues, so security teams can make real progress in reducing existing vulnerabilities (commonly known as security debt).
Vulnerabilities can persist forever, and the longer they go undetected, the harder and more expensive they are to fix. When a developer is asked to fix vulnerabilities in code they haven’t seen in a while or are unfamiliar with, it can take hours to evaluate the surrounding code and experiment with manual fixes. Copilot Autofix significantly reduces this effort, allowing developers to fix old vulnerabilities faster and more reliably.
Here’s how it works: To launch Copilot Autofix for vulnerabilities in existing code, simply press the “Generate Fix” button on an alert in the GHAS code scan alert. Copilot Autofix assesses the code and vulnerability and returns an explanation and code suggestion for review. The developer can then press the “Create PR with Fix” button to create a new pull request containing code changes to fix the alert. With Copilot Autofix, teams can eliminate years of security debt – even the hard-to-prioritize low and medium severity alerts – with just a few clicks.
Copilot Autofix takes on the heavy lifting of security tasks, ensuring our existing and new code is always as secure as possible. Vulnerabilities are flagged immediately and code changes are automatically recommended, freeing up our teams to focus on more strategic initiatives.
Copilot Autofix in action
Behind the scenes, Copilot Autofix uses the CodeQL Engine, GPT-4o and a Combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix creates an LLM prompt based on sources such as CodeQL analysis and short code snippets around the flow path.
Securing open source
Copilot Autofix reduces the time and effort required to fix vulnerabilities in private repositories, but what about vulnerabilities in open source? As we saw with Log4j, a vulnerability anywhere can quickly become a vulnerability everywhere. As the global home of the open source community, GitHub is uniquely positioned to help maintainers identify and fix vulnerabilities to make open source software more secure and reliable for everyone. We strongly believe that it is extremely important to be both a responsible consumer of open source software and a contributor to it, which is why open source maintainers are already reaping the benefits of GitHub. Code scanning, secret scanning, Dependency managementAnd private reporting of vulnerabilities Tools for free. Starting in September, we are excited to add Copilot Autofix to this list in pull requests and offer it for free to all open source projects.
Act quickly and fix things
While the responsibility for software security still rests on the shoulders of developers, we believe AI agents can take much of that burden off their shoulders. Experienced security talent is in short supply, but with Copilot Autofix by your side, every developer benefits from security expertise whenever they need it. Security simply becomes synonymous with software development.
And that’s just the beginning. From GitHub Copilot workspace At GHAS, we are committed to a future where AI not only helps, but transforms businesses, from productivity and innovation to security and risk reduction. At GHAS, we use AI not only to fix vulnerabilities in code, but also to increase the scope and accuracy of secret scanningand with new workflows that scale Copilot Autofix for organizations with high volumes of security debt, all on the familiar platform developers already know and love.
With Copilot Autofix we have come one step closer to our vision: A vulnerability found means a vulnerability fixed.
If you are already a GHAS customer on GitHub Enterprise Cloud, we have already enabled Copilot Autofix for you by default in your GHAS settings. If you are not a GHAS customer, you can find more information Here or talk to your GitHub representative. We’re on call.
Written by
[ad_2]
Source link