# About autofix for code scanning

Autofix provides targeted recommendations to help you fix code scanning alerts and avoid introducing new security vulnerabilities.

Autofix provides you with targeted recommendations to help you fix code scanning alerts so you can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from code scanning analysis.

## How autofix works

Autofix translates the description and location of a code scanning alert into code changes that may fix it. It interfaces with the large language model GPT-5.3-Codex from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.

There are two ways to get a fix for an alert: agentic autofix and Автофикс второго пилота. If Copilot облачный агент is available in a repository, assigning an alert uses agentic autofix instead of Автофикс второго пилота.

## Agentic autofix

> \[!NOTE] This feature is currently in public preview and is subject to change.

Assign a code scanning alert to Copilot to have it resolve the alert for you. Assigning an alert starts an agent session: Copilot облачный агент calls tools to explore your codebase beyond the affected file, generates a fix, validates it (for example, by re-running CodeQL), and iterates until it opens a pull request with the changes. See [Разрешение оповещений сканирования кода](/ru/enterprise-cloud@latest/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/resolve-alerts#fixing-alerts-with-copilot).

Keep the following in mind:

* Agentic autofix requires Copilot облачный агент and Автофикс второго пилота to be available in the repository. If Copilot облачный агент isn't available, assigning an alert falls back to Автофикс второго пилота instead.
* Each agentic autofix session is billed as a Copilot облачный агент session and consumes AI credits. See [О облачном агенте GitHub Copilot](/ru/enterprise-cloud@latest/copilot/concepts/agents/cloud-agent/about-cloud-agent#copilot-cloud-agent-usage-costs).
* Copilot follows any custom instructions configured for the repository or organization when it generates a fix.
* Agentic autofix works on a best-effort basis. Copilot validates fixes by re-running CodeQL using the code-scanning query suite, so it can't confirm that a fix resolves alerts generated by custom queries or the security-extended query suite. Fix quality for alerts from third-party tools is also not guaranteed.

## Getting a suggested fix with Автофикс второго пилота

Автофикс второго пилота generates a single suggested fix for an alert, which you review and apply yourself.

You do not need a subscription to GitHub Copilot to use Автофикс GitHub Copilot, and it does not consume AI credits. Автофикс второго пилота is available to all public repositories on GitHub.com, as well as internal or private repositories owned by organizations and enterprises that have a license for GitHub Code Security.

Автофикс второго пилота is allowed by default and enabled for every repository that uses CodeQL, regardless of whether it uses default or advanced setup for code scanning. There is no separate step to enable Автофикс второго пилота: enabling code scanning with CodeQL is sufficient. See [Настройка настройки по умолчанию для сканирования кода](/ru/enterprise-cloud@latest/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning).

Administrators at the enterprise, organization, and repository levels can choose to disable Автофикс второго пилота. If Автофикс второго пилота has been disabled at your level, you can re-enable it by following the same steps used to disable it and selecting the option to allow Автофикс второго пилота. To learn how to manage Автофикс второго пилота at each level, see [Отключение Autofix Copilot для оповещений о безопасности сканирования кода](/ru/enterprise-cloud@latest/code-security/how-tos/manage-security-alerts/manage-code-scanning-alerts/disabling-autofix-for-code-scanning).