Note: GitHub autofix for code scanning is in beta. Functionality and documentation are subject to change. During this phase, the feature is restricted to JavaScript, TypeScript, Python, and Java alerts identified by CodeQL. If you have an enterprise account and use GitHub Advanced Security, your enterprise has access to the beta.
About autofix for CodeQL code scanning
Code scanning autofix is a GitHub Copilot-powered expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from CodeQL analysis.
Note: While code scanning autofix is powered by GitHub Copilot, your enterprise does not need a subscription to GitHub Copilot to use autofix. As long as your enterprise has GitHub Advanced Security, you will have access to autofix.
Code scanning autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Autofix uses internal GitHub Copilot APIs and private instances of OpenAI large language models such as GPT-4, which have sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.
In an organization's security overview dashboard, you can view the total number of autofix suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "Viewing security insights" in the GitHub Enterprise Cloud documentation.
Developer experience
GitHub Advanced Security users can already see any security alerts detected by code scanning using CodeQL to analyze their pull requests. However, developers often have little training in code security so fixing these alerts requires substantial effort. They must first read and understand the alert location and description, and then use that understanding to edit the source code to fix the vulnerability.
Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer. Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase. The developer evaluates the potential fix to determine whether it is the best solution for their codebase and to ensure that it maintains the intended behavior.
After committing a suggested fix or modified fix, the developer should always verify that continuous integration testing (CI) for the codebase continues to pass and that the alert is shown as resolved before they merge their pull request.
Supported languages
Code scanning autofix supports fix generation for a subset of queries included in the default query suite for JavaScript, TypeScript, Python, Java, and C#. For more information on the default query suite, see "CodeQL query suites."
Autofix generation process
When autofix is enabled for a repository, code scanning alerts that are identified in a pull request by supported CodeQL queries send input to the LLM. If the LLM can generate a potential fix, the fix is shown in the pull request as a suggestion comment.
GitHub sends the LLM a variety of data from the pull request and from CodeQL analysis.
- CodeQL alert data in SARIF format. For more information, see “SARIF support for code scanning.”
- Code from the current version of the pull request branch.
- Short snippets of code around each source location, sink location, and any location referenced in the alert message or included on the flow path.
- First ~10 lines from each file involved in any of those locations.
- Help text for the CodeQL query that identified the problem. For examples, see “CodeQL query help.”
Any autofix suggestions are generated and stored within the code scanning backend. They are displayed as suggestion comments in the pull request. No user interaction is needed beyond enabling code scanning on the codebase and creating the pull request.
The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with GitHub Advanced Security. Moreover, data handled by code scanning autofix is strictly not employed for LLM training purposes. For more information on GitHub Advanced Security terms and conditions, see "GitHub Terms for Additional Products and Features."
Quality of autofix suggestions
GitHub uses an automated test harness to continuously monitor the quality of autofix suggestions. This allows us to understand how the autofix suggestions generated by the LLM change as the model develops.
The test harness includes a set of over 1,870 alerts from a diverse set of public repositories where the highlighted code has test coverage. Autofix suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, autofixes generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests.
In addition, the system is stress-tested to check for any potential harm (often referred to as red teaming), and a filtering system on the LLM helps prevent potentially harmful suggestions being displayed to users.
How GitHub tests autofix suggestions
We test the effectiveness of autofix suggestions by merging all suggested changes, unedited, before running code scanning and the repository's unit tests on the resulting code.
- Was the code scanning alert fixed by the suggestion?
- Did the fix introduce any new code scanning alerts?
- Did the fix introduce any syntax errors that CodeQL can detect?
- Has the fix changed the output of any of the repository tests?
In addition, we spot check many of the successful suggestions and verify that they fix the alert without introducing new problems. When one or more of these checks failed, our manual triage showed that in many cases the proposed fix was nearly correct but needed some minor modifications that a user could identify and manually perform.
Effectiveness on other projects
The test set contains a broad range of different types of projects and alerts. We predict that autofixes for other projects using languages supported by autofix should follow a similar pattern.
- Autofix is likely to add a code suggestion to the majority of alerts.
- When developers evaluate the autofix suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code.
- A small percentage of suggested fixes will reflect a significant misunderstanding of the codebase or the vulnerability.
However, each project and codebase is unique, so developers may need to edit a larger percentage of suggested fixes before committing them. Autofix provides valuable information to help you resolve code scanning alerts, but ultimately it remains your responsibility to evaluate the proposed change and ensure the security and accuracy of your code.
Note: Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no autofix suggestion is displayed.
Limitations of autofix suggestions
When you review an autofix suggestion, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling autofix for code scanning. For more information, see "Mitigating the limitations of autofix suggestions."
Limitations of autofix code suggestions
- Programming languages: A subset of programming languages is supported. Support for additional languages will be added, but there is no intention to provide support for all CodeQL languages.
- Human languages: The system primarily uses English data, including the prompts sent to the system, the code seen by the LLMs in their datasets, and the test cases used for internal evaluation. Suggestions generated by the LLM may have a lower success rate for source code and comments written in other languages and using other character sets.
- Syntax errors: The system may suggest fixes that are not syntactically correct code changes, so it is important to run syntax checks on pull requests.
- Location errors: The system may suggest fixes that are syntactically correct code but are suggested at the incorrect location, which means that if a user accepts a fix without editing the location they will introduce a syntax error.
- Semantic errors: The system may suggest fixes that are syntactically valid but that change the semantics of the program. The system has no understanding of the programmer or codebase’s intent in how the code should behave. Having good test coverage helps developers verify that a fix does not change the behavior of the codebase.
- Security vulnerabilities and misleading fixes: The system may suggest fixes that fail to remediate the underlying security vulnerability and/or introduce new security vulnerabilities.
- Partial fixes: The system may suggest fixes that only partially address the security vulnerability, or only partially preserve the intended code functionality. The system sees only a small subset of the code in the codebase and does not always produce globally optimal or correct solutions.
Limitations of autofix dependency suggestions
Sometimes a suggested fix includes a change in the dependencies of the codebase. If you use a dependency management system, any changes will be highlighted automatically for the developer to review. Before merging a pull request always verify that any dependency changes are secure and maintain the intended behavior of the codebase.
- New or updated dependencies: The system may suggest adding or updating software dependencies as part of a suggested fix. For example, by suggesting changing the
package.jsonfile for JavaScript projects to add dependencies from npm. - Unsupported or insecure dependencies: The system does not know which versions of an existing dependency are supported or secure.
- Fabricated dependencies: The system has incomplete knowledge of the dependencies published in the wider ecosystem. This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.
Mitigating the limitations of autofix suggestions
The best way to mitigate the limitations of autofix suggestions is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see “About dependency review.”
It is important to remember that the author of a pull request retains responsibility for how they respond to review comments and suggested code changes, whether proposed by colleagues or automated tools. Developers should always look at suggestions for code changes critically. If needed, they should edit the suggested changes to ensure that the resulting code and application are correct, secure, meet performance criteria, and satisfy all other functional and non-functional requirements for the application.
Next steps
- "About code scanning alerts"
- Triaging code scanning alerts in pull requests in the GitHub Enterprise Cloud documentation