Code scanning autofix: Preview Feedback and Resources

[turbo]

Welcome to the preview for code scanning autofix!

Autofix is an AI-powered expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from CodeQL analysis.

Read our announcement blog here

This discussion is the place to provide feedback and ask questions about autofix.

Status

Autofix is available to all GitHub Advanced Security (GHAS) customers. Fix suggestions are available on private repositories with a working code scanning configuration.

Capabilities

Fix suggestions are currently generated for nearly all supported security queries for JavaScript/TypeScript, Java, Python, and C#. We will be adding support for more languages soon. Only new alerts on Pull Requests are considered.

To learn more about the capabilities, limitations, and fix generation process, please refer to our public transparency documentation.

For a more hands-on demo of autofix, take a look at this 5-minute walkthrough we've put together.

[samigt]

Love the feature, a couple of questions:

1. How can I easily find the PRs on which the bot added a comment to assess it ?
2. How can I know how many devs accepted the suggestions vs not ?

[AlonaHlobina]

Thanks for your feedback! The Security Overview tab only shows the number of autofixes generated per organisation at the moment. We are working on adding more information soon.

[quinncomendant]

When can independent open source maintainers get their hands on this lovely tool? After reading the announcement post, it seems it's intended for enterprise customers?

[AlonaHlobina]

We appreciate your interest, @quinncomendant!
You are right. The feature is available to private repositories that are part of Advanced Security. We do not plan on shipping it to open source at the moment.

[carlspring]

@AlonaHlobina ,

I think that you guys should consider creating a separate plan for security researchers / engineers, so that the pricing is more reasonable. Otherwise, for a single such engineer one would have to get an Enterprise account (with one user) and pay the GHAS per month. A lot of us are actually working for large corporations which are eager to adopt such funcitonality and we are sort of your "promoters".

[nalbion]

How do you create the ````suggestion` with "Outside changed files" targeting line 16 of package.json?

[turbo]

This is part of the native integration of code scanning and autofix into the GitHub PR experience. As far as I know, this is not available as a feature for user-generated PR suggestions - that request is tracked here: https://github.com/orgs/community/discussions/9099

[ben-wilson-peak]

Hi, great to see this shipped! I hope eventually we can see autofix suggestions directly in an alert and create a PR from there?

[turbo]

Autofixes for non-PR alerts is something we're actively working on - stay tuned 👍

[beingminimal]

@turbo can we use it with github enterprise plan in which we will have only 1 user/seat, and if not then why you guys are blocking this? Because nowadays in this Ai era everybody is talking about one person company powered by ai and we are not able to use such ai features for us...
can you please guide me to solve this?

[NickLiffen]

Hey @beingminimal 👋

Lovely to meet you! Thanks for raising the question, if you purchase GitHub Advanced Security on the Enterprise cloud plan, you should be able to purchase it with a minimum of 1 licence, as long as you purchase following the self-serve model, laid out here: https://docs.github.com/en/enterprise-cloud@latest/billing/managing-billing-for-github-advanced-security/signing-up-for-github-advanced-security, if you go here, and you see a minimum that isn't 1, please let us know.

Have a great week.

[beingminimal]

@NickLiffen but can i buy GitHub Advanced Security 1 seat licence if i have only 1 seat in github enterprise cloud plan or we required 10 min seat in github enterprise plan to buy 1 seat of GitHub Advanced Security?

[NickLiffen]

Hey @beingminimal 👋

Thanks again for the follow up

can i buy GitHub Advanced Security 1 seat licence if i have only 1 seat in github enterprise cloud plan

Yes, you can.

There is not a minimum seat requirement on either the GitHub enterprise plan, or GitHub Advanced Secuirty

[beingminimal]

is it for sure?

[turbo]

Yes. Refer to the docs above.

[jvilimek]

Fix suggestions are currently generated for nearly all supported security queries for JavaScript/TypeScript, Java, and Python. We will be adding support for more languages soon. Only new alerts on Pull Requests are considered.

Thanks for this new cool feature!

I am (and I believe many developers among us) looking for C# support. Is this something on the roadmap already? Where to get a notification after it's released?

[turbo]

C# and Go support will be released this calendar quarter and there'll be a changelog blog post for it in the CodeQL category on github.blog

[nalbion]

Nullify provide autofix suggestions for C# @jvilimek - https://www.nullify.ai/

[turbo]

We have just shipped autofix support for C#. It's also the first language that has autofix support for nearly all rules, including the Extended suite: https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/csharp-built-in-queries#built-in-queries-for-c-analysis

[codesafe1]

I found that when multiple vulnerabilities were introduced in PR, the comment provided by github-advanced-security would summarize multiple vulnerabilities into a link, just like the screenshot [CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.], And it no longer provides autofix prompts for commit fixes. Is this the current function, and the automatic repair only takes effect when PR introduces a tiny alarm?

[adityasharad]

Thanks for asking. This is based on the number of alerts identified within the PR diff, and not the severity of an individual alert. When there are 20 or fewer alerts, code scanning renders those alerts as review comments within the PR review page, and autofixes will be generated for them if the alerts are supported by autofix. When there are more than 20 such alerts, the review comments are not created, and the alerts are only shown on the Files changed tab. Since there are no review comments for these alerts, autofix generation is also skipped, because the review comments are the currently-chosen location for rendering the autofix suggestions.

[Kevinf63]

This discussion is the place to provide feedback and ask questions about autofix.

Status

Autofix is available to all GitHub Advanced Security (GHAS) customers. Fix suggestions are available on private repositories with a working code scanning configuration.

Question! I'm wondering if and when this becomes available for its sister product, GitHub Advanced Security for Azure DevOps. What timeframe should we expect?

[AlonaHlobina]

Hi @Kevinf63,
There are no concrete plans to add the autofix feature to GitHub Advanced Security for Azure DevOps. Please keep tuned for updates.

[davewichers]

I have created several discussion posts related to CodeQL and AutoFix. They are here: "CodeQL XSS False Positives and XSS AutoFix incorrect location for defensive encoding" (#122802), here: "CodeQL Findings Should be Reported in Filename Order in Pull Requests" (#123182), and here: "Relate Adoption of suggested AutoFixes to CodeQL Findings" (#122838). Some feedback from the GitHub team on these suggested enhancements would be appreciated.

Also, rather than creating new Discussions like this, or posting comments here, is there a better/easier way to provide specific CodeQL/AutoFix feedback to the GitHub team, rather than in a public forum? For example, I adopted an AutoFix and it created a compilation error because one of the new methods in the AutoFix throws an additional type of Exception. I want to provide feedback on that specific issue, but posting those details here seems like not the right place for feedback that is super specific like this.

[turbo]

Hi, thank you for your feedback!

This discussion is the right place to publish public feedback about autofix, please do not open separate discussions as those aren't monitored by our team.

For CodeQL issues that are not related to autofix (or where this is unclear), please open an issue in our repo at https://github.com/github/codeql

For private or confidential issues or feedback, please open a support ticket. This will be routed to our team.

We also invite any active users of autofix to book a call with our team at https://gh.io/autofix-feedback-call which is routed directly to a Product Manager working on this feature.