Found means fixed: Secure code more than three times faster with Copilot Autofix

Copilot Autofix takes care of cumbersome security tasks, ensuring our existing and new code is always as secure as possible. Vulnerabilities are flagged immediately and code changes are recommended automatically. It helps our teams to free up time so they can focus on more strategic initiatives.

Copilot Autofix in action

Behind the scenes, Copilot Autofix leverages the combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix builds an LLM prompt based on sources including CodeQL analysis and short snippets of code around the flow path.

Securing open source

Copilot Autofix reduces the time and effort required to remediate vulnerabilities in private repositories, but what about vulnerabilities in open source? As we’ve seen with Log4j, a vulnerability anywhere can quickly become a vulnerability everywhere. As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it’s highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub’s private vulnerability reporting tools at no cost. Starting in September, we’re thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects.

Move fast and fix things

While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden. Experienced security talent is in short supply, but with Copilot Autofix at your side, every developer benefits from security expertise whenever they need it. Security becomes simply synonymous with software development.

And this is just the beginning. From GitHub secret scanning, and with new workflows that scale Copilot Autofix for organizations with a high volume of security debt, all on the familiar platform that developers already know and love.

With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.

Written by

Mike Hanley

@mph4

Mike Hanley is the Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.

When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and eight kids.