GitHub’s Copilot Autofix triples vulnerability remediation speed

Sep 02, 2024

Shipping software quickly often comes at the cost of security, with vulnerabilities inadvertently making their way into production code. This poses a significant challenge, as many developers find security requirements complex and difficult to implement.

“Developers are shipping software faster than previously imaginable, releasing new features early and often. Yet, despite their best efforts to code securely, software vulnerabilities inadvertently make their way into production and continue to be a leading cause of breaches today,” explains Mike Hanley, CSO and SVP of Engineering at GitHub.

While code scanning tools can detect these vulnerabilities, the real bottleneck lies in remediation. Addressing these issues requires specialised security knowledge and significant time investments, two resources often in short supply.

To tackle this challenge, GitHub has announced the general availability of Copilot Autofix within GitHub Advanced Security (GHAS). This AI-powered tool analyses vulnerabilities, explains their significance, and suggests code-level fixes, dramatically accelerating the remediation process.

“During the public beta, we found that developers were fixing code vulnerabilities more than three times faster than those who do so manually, a powerful example of how AI agents can radically simplify and accelerate secure software development,” says Hanley.

Data from May to July 2024 reveals significant reductions in time-to-remediation:

  • Overall: Median fix time dropped from 1.5 hours to 28 minutes.
  • Cross-site scripting: Remediation time shrunk from almost three hours to just 22 minutes.
  • SQL injection: Fixes were implemented in 18 minutes, down from a staggering 3.7 hours.

These efficiency gains have translated into tangible benefits for early adopters. Kevin Cooper, Principal Engineer at Optum, reports a “60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity.”

The benefits of Copilot Autofix extend beyond addressing new vulnerabilities; it also tackles the often-dreaded backlog of existing security debt. This accumulation of unaddressed vulnerabilities can plague organisations for years, becoming increasingly difficult and costly to fix over time. 

Copilot Autofix provides a solution by analysing existing code, identifying vulnerabilities, and offering code-level fixes with a simple click. This empowers developers to address security debt swiftly and effectively, even for low and moderate severity alerts that often get deprioritised.

“Copilot Autofix takes care of cumbersome security tasks, ensuring our existing and new code is always as secure as possible,” says Mario Landgraf, Community Manager, Security at Otto. “Vulnerabilities are flagged immediately and code changes are recommended automatically. It helps our teams to free up time so they can focus on more strategic initiatives.”

By leveraging the CodeQL engine, GPT-4o, and GitHub Copilot APIs, Copilot Autofix provides developers with readily accessible security expertise. This empowers them to not only fix vulnerabilities but to understand the underlying issues and implement secure coding practices.

Recognising the importance of open-source security, GitHub is extending Copilot Autofix’s benefits to the open-source community. Starting in September, all open-source projects will have free access to Copilot Autofix within pull requests, further bolstering the security of the software ecosystem.

With Copilot Autofix, GitHub aims to make security an integral part of the development process, not a separate and daunting task. By providing developers with AI-powered tools and readily available expertise, they are striving to make “vulnerability found” synonymous with “vulnerability fixed.”

See also: Sterling Chin, Postman: Transforming API testing and documentation with AI

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: AI, artificial intelligence, coding, copilot, copilot autofix, cyber security, cybersecurity, development, ghas, github, github copilot, programming, security, vulnerabilities