November 10, 2023 at 07:59AM
GitHub has introduced a new code scanning autofix feature as part of its Advanced Security program. The feature uses CodeQL, GitHub’s static-analysis scanner, to identify critical vulnerabilities in code and suggest fixes. This AI-powered tool aims to reduce developers’ time spent on fixing issues and improve the efficiency of vulnerability remediation. Other companies in the industry, such as Veracode and startup firms like Mobb and Vicarius, are also leveraging AI to address software vulnerabilities. The use of generative AI capabilities can greatly enhance developers’ productivity and testing coverage. However, there are challenges associated with AI systems, such as the potential for bad suggestions and the need for human validation. Nonetheless, the integration of AI into developers’ workflow is expected to increase, enabling better security practices and reducing friction in vulnerability triage and remediation processes.
The meeting notes discuss GitHub’s new code scanning autofix feature, which is an AI-powered tool for software developers. This feature allows developers to scan their code with GitHub’s static-analysis scanner, CodeQL, and suggests fixes for critical vulnerabilities. The goal is to reduce the time it takes to remediate vulnerabilities by automatically finding and fixing issues. GitHub has optimized the set of queries provided to developers in order to interrupt them only when there is high confidence that a problem needs to be addressed. This approach aligns with other application-security firms that are also using AI platforms to fix vulnerabilities.
In addition to GitHub, other companies, both established players like Veracode and startups like Mobb and Vicarius, are leveraging generative AI and ChatGPT to offer bug-fixing services. These tools aim to address the security debt faced by developers and application-security professionals. By automating the process of triaging and fixing vulnerabilities, developers can become more efficient and save time. According to initial research by Forrester Research, developers can be 15% to 30% more productive in writing and fixing code with the help of AI capabilities.
While there are productivity gains and potential benefits, it is important to ensure that there is still human involvement in the development process. Developers should expect to see more AI capabilities integrated into their workflow, including embedding security in the integrated development environment (IDE), conducting AI checks of pull requests, and reducing frictions in vulnerability triaging and fixing. GitHub is focused on bringing security capabilities to developers where they work.
However, there are concerns regarding the reliability of current AI systems. Generative AI systems may make connections between unrelated information, leading to inaccurate suggestions for code fixes. Developers and corporate boards have expressed concerns about the use of AI in development and business, respectively.
Overall, it is anticipated that AI will become an integral part of every developer’s experience, and it is not a matter of if, but when. Companies like Vicarius have a vision of building AI agents that can autonomously fix software, ultimately increasing cybersecurity hygiene in a scalable and efficient manner.