Skip to main content

Responsible use of Copilot Autofix for code scanning

Learn how GitHub uses AI to suggest potential fixes for code scanning alerts and find out how best to mitigate limitations in the AI suggestions.

누가 이 기능을 사용할 수 있나요?

code scanning에 대한 GitHub Copilot Autofix은(는) GitHub.com의 모든 퍼블릭 리포지토리에서 사용할 수 있습니다. code scanning에 대한 GitHub Copilot Autofix은(는) 또한 GitHub Enterprise Cloud를 사용하고 GitHub Advanced Security에 대한 라이선스가 있는 조직이 소유한 프라이빗 리포지토리에서 사용할 수 있습니다. 자세한 내용은 "GitHub Advanced Security 정보" 항목을 참조하세요.

About Copilot Autofix for CodeQL code scanning

GitHub Copilot Autofix is an expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from CodeQL analysis.

Note

GitHub Copilot Autofix을(를) 사용하려면 GitHub Copilot에 대한 구독이 필요하지 않습니다. Copilot Autofix은(는) GitHub.com의 모든 퍼블릭 리포지토리에서 사용할 수 있습니다. 뿐만 아니라 GitHub Advanced Security에 대한 라이선스가 있는 GitHub Enterprise Cloud Enterprise의 프라이빗 리포지토리에서도 사용할 수 있습니다.

Copilot Autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Copilot Autofix uses internal GitHub Copilot APIs interfacing with the large language model GPT-4o from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes.

While Copilot Autofix is allowed by default and enabled for every repository using CodeQL, you can choose to opt out and disable Copilot Autofix. To learn how to disable Copilot Autofix at the enterprise, organization and repository levels, see "코드 검사에 대한 Copilot Autofix 사용 중지."

In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "보안 인사이트 보기" in the GitHub Enterprise Cloud documentation.

Developer experience

Code scanning users can already see any security alerts detected by CodeQL to analyze their pull requests. However, developers often have little training in code security so fixing these alerts requires substantial effort. They must first read and understand the alert location and description, and then use that understanding to edit the source code to fix the vulnerability.

Copilot Autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer. Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase. The developer evaluates the potential fix to determine whether it is the best solution for their codebase and to ensure that it maintains the intended behavior.

After committing a suggested fix or modified fix, the developer should always verify that continuous integration testing (CI) for the codebase continues to pass and that the alert is shown as resolved before they merge their pull request.

Supported languages

Copilot Autofix supports fix generation for a subset of queries included in the default and security-extended query suites for C#, C/C++, Go, Java/Kotlin, Swift, JavaScript/TypeScript, Python 및 Ruby. For more information on these query suites, see "CodeQL 쿼리 도구 모음."

Suggestion generation process

When Copilot Autofix is enabled for a repository, code scanning alerts that are identified by supported CodeQL queries send input to the LLM. If the LLM can generate a potential fix, the fix is shown as a suggestion.

GitHub sends the LLM a variety of data from the CodeQL analysis.

  • CodeQL alert data in SARIF format. For more information, see “코드 검사에 대한 SARIF 지원.”
  • Code from the current version of the branch.
    • Short snippets of code around each source location, sink location, and any location referenced in the alert message or included on the flow path.
    • First ~10 lines from each file involved in any of those locations.
  • Help text for the CodeQL query that identified the problem. For examples, see “CodeQL query help.”

Any Copilot Autofix suggestions are generated and stored within the code scanning backend. They are displayed as suggestions. No user interaction is needed beyond enabling code scanning on the codebase and creating a pull request.

The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with GitHub Advanced Security. Moreover, data handled by Copilot Autofix is strictly not employed for LLM training purposes. For more information on GitHub Advanced Security terms and conditions, see "GitHub 추가 제품 및 기능 약관."

Quality of suggestions

GitHub uses an automated test harness to continuously monitor the quality of suggestions from Copilot Autofix. This allows us to understand how the suggestions generated by the LLM change as the model develops.

The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, suggestions generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests.

In addition, the system is stress-tested to check for any potential harm (often referred to as red teaming), and a filtering system on the LLM helps prevent potentially harmful suggestions being displayed to users.

How GitHub tests suggestions

We test the effectiveness of suggestions by merging all suggested changes, unedited, before running code scanning and the repository's unit tests on the resulting code.

  1. Was the code scanning alert fixed by the suggestion?
  2. Did the fix introduce any new code scanning alerts?
  3. Did the fix introduce any syntax errors that CodeQL can detect?
  4. Has the fix changed the output of any of the repository tests?

In addition, we spot check many of the successful suggestions and verify that they fix the alert without introducing new problems. When one or more of these checks failed, our manual triage showed that in many cases the proposed fix was nearly correct but needed some minor modifications that a user could identify and manually perform.

Effectiveness on other projects

The test set contains a broad range of different types of projects and alerts. We predict that suggestions for other projects using languages supported by Copilot Autofix should follow a similar pattern.

  • Copilot Autofix is likely to add a code suggestion to the majority of alerts.
  • When developers evaluate the suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code.
  • A small percentage of suggested fixes will reflect a significant misunderstanding of the codebase or the vulnerability.

However, each project and codebase is unique, so developers may need to edit a larger percentage of suggested fixes before committing them. Copilot Autofix provides valuable information to help you resolve code scanning alerts, but ultimately it remains your responsibility to evaluate the proposed change and ensure the security and accuracy of your code.

Note

Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no suggestion is displayed.

Limitations of suggestions

When you review a suggestion from Copilot Autofix, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling Copilot Autofix for code scanning. For more information, see "Mitigating the limitations of suggestions."

Limitations of code suggestions

  • Human languages: The system primarily uses English data, including the prompts sent to the system, the code seen by the LLMs in their datasets, and the test cases used for internal evaluation. Suggestions generated by the LLM may have a lower success rate for source code and comments written in other languages and using other character sets.
  • Syntax errors: The system may suggest fixes that are not syntactically correct code changes, so it is important to run syntax checks on pull requests.
  • Location errors: The system may suggest fixes that are syntactically correct code but are suggested at the incorrect location, which means that if a user accepts a fix without editing the location they will introduce a syntax error.
  • Semantic errors: The system may suggest fixes that are syntactically valid but that change the semantics of the program. The system has no understanding of the programmer or codebase’s intent in how the code should behave. Having good test coverage helps developers verify that a fix does not change the behavior of the codebase.
  • Security vulnerabilities and misleading fixes: The system may suggest fixes that fail to remediate the underlying security vulnerability and/or introduce new security vulnerabilities.
  • Partial fixes: The system may suggest fixes that only partially address the security vulnerability, or only partially preserve the intended code functionality. The system sees only a small subset of the code in the codebase and does not always produce globally optimal or correct solutions.

Limitations of dependency suggestions

Sometimes a suggested fix includes a change in the dependencies of the codebase. If you use a dependency management system, any changes will be highlighted automatically for the developer to review. Before merging a pull request always verify that any dependency changes are secure and maintain the intended behavior of the codebase.

  • New or updated dependencies: The system may suggest adding or updating software dependencies as part of a suggested fix. For example, by suggesting changing the package.json file for JavaScript projects to add dependencies from npm.
  • Unsupported or insecure dependencies: The system does not know which versions of an existing dependency are supported or secure.
  • Fabricated dependencies: The system has incomplete knowledge of the dependencies published in the wider ecosystem. This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.

Mitigating the limitations of suggestions

The best way to mitigate the limitations of suggestions from Copilot Autofix is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see “종속성 검토 정보.”

It is important to remember that the author of a pull request retains responsibility for how they respond to review comments and suggested code changes, whether proposed by colleagues or automated tools. Developers should always look at suggestions for code changes critically. If needed, they should edit the suggested changes to ensure that the resulting code and application are correct, secure, meet performance criteria, and satisfy all other functional and non-functional requirements for the application.

Next steps