Distributed version control and collaboration platform company GitHub has come forward with its new Copilot Autofix tool. This AI-driven software service is targeted at developers who need to address software vulnerabilities in code destined for traditional applications and inside those infused with an injection of new or existing breeds of AI. 

Copilot Autofix resides in the GitHub Advanced Security (GHAS) platform product grouping. First mentioned in the spring of this year, the technology was at the public beta stage before this month progressing to a full-blown release.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

This finalized first-release product features GitHub’s CodeQL scanning engine, a code analysis engine developed by GitHub to automate security checks so developers can analyze and display the results as code scanning alerts. It also features GPT-4o, a multi-modal large language model that offers real-time conversation functionalities and text generation. Copilot Autofix also features heuristics and the technology features its own set of APIs to enable teams to implement its toolset and create code suggestions (and code snippets) to fix and remediate vulnerabilities. Developers can accept, edit or reject code suggestions made.

Found Yes, Fixed Maybe

“Code scanning tools detect vulnerabilities but they don’t address the fundamental problem [of fixing software]: Remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn’t the problem. Fixing them is,” said Mike Hanley, chief security officer and senior vice president of engineering at GitHub.

Using its newly minted “Found Means Fixed” tagline to address this exact point, Hanley says that Copilot Autofix analyzes vulnerabilities in code, explains why they matter… and offers code suggestions that help developers fix vulnerabilities as fast as they are found. 

“During the public beta, we found that developers were fixing code vulnerabilities more than three times faster than those who do so manually, a powerful example of how AI agents can radically simplify and accelerate secure software development,” enthused Hanley. “Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities.”

The GitHub GHAS division said it has big plans for Copilot Autofix and its related platform toolsets. It is working to improve the scope and accuracy of “secret scanning” today. The organization defines secret scanning as a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens and other secrets in a DevOps’s teams code repository. GitHub’s approach here means secret scanning scans code commits in repositories for known types of secrets so that repository administrators can be alerted upon detection. GitHub’s Hanley has also said that the team is developing new workflows that scale Copilot Autofix for organizations with a high volume of security debt, all on familiar developer platforms.

With initial support for JavaScript, TypeScript, Java and Python, Copilot Autofix has now been reported to also extend support to C#, C/C++, Go, Kotlin, Swift and Ruby. Available for free use to developers working on open source projects, paying enterprise GitHub Enterprise Cloud customers who subscribe to GHAS will find Copilot Autofix enabled by default in their GHAS settings.

AI for Good, for Good?

Given the speed at which modern DevOps teams must attempt to create working functional software offerings and the always-present fact that not every group will feature a security guru, GitHub says the market is ripe for an AI-fuelled tool capable of remediation at this level. At a time when less technical businesspeople are “worried about the impact of AI”, this is perhaps a good example of automation intelligence being used to fix problems rather than create new ones.